# unpatched code clones: 2129

[linux_CVE-2005-0504_1178609499_moxaload320b.diff] moxaload320b_OLD.c #1
void __iomem *baseAddr; int i; - if(len > sizeof(moxaBuff)) + if(len < 0 || len > sizeof(moxaBuff)) return -EINVAL; if(copy_from_user(moxaBuff, tmp, len)) return -EFAULT;
.\cloneFuncs\totalClone\Type-1\CVE-2005-0504_before_1mo_1171100735_moxaload320b.c
1
2
static int moxaload320b(int cardno, unsigned char __user *tmp, int len) {
+ show +
3
4
5
6
7
8
9
void __iomem *baseAddr; int i; if(len > sizeof(moxaBuff)) return -EINVAL; if(copy_from_user(moxaBuff, tmp, len)) return -EFAULT;
+ show +
10
11
12
13
14
15
16
17
18
19
baseAddr = moxa_boards[cardno].basemem; writew(len - 7168 - 2, baseAddr + C320bapi_len); writeb(1, baseAddr + Control_reg); /* Select Page 1 */ for (i = 0; i < 7168; i++) writeb(moxaBuff[i], baseAddr + DynPage_addr + i); writeb(2, baseAddr + Control_reg); /* Select Page 2 */ for (i = 0; i < (len - 7168); i++) writeb(moxaBuff[i + 7168], baseAddr + DynPage_addr + i); return (0); }
.\cloneFuncs\totalClone\Type-2\CVE-2005-0504_before_6mo_1161451441_moxaload320b.c
1
2
static int moxaload320b(int cardno, unsigned char __user *tmp, int len) {
+ show +
3
4
5
6
7
8
9
void __iomem *baseAddr; int i; if(len > sizeof(moxaBuff)) return -EINVAL; if(copy_from_user(moxaBuff, tmp, len)) return -EFAULT;
+ show +
10
11
12
13
14
15
16
17
18
19
baseAddr = moxaBaseAddr[cardno]; writew(len - 7168 - 2, baseAddr + C320bapi_len); writeb(1, baseAddr + Control_reg); /* Select Page 1 */ for (i = 0; i < 7168; i++) writeb(moxaBuff[i], baseAddr + DynPage_addr + i); writeb(2, baseAddr + Control_reg); /* Select Page 2 */ for (i = 0; i < (len - 7168); i++) writeb(moxaBuff[i + 7168], baseAddr + DynPage_addr + i); return (0); }

[linux_CVE-2005-0504_1178609499_moxaloadbios.diff] moxaloadbios_OLD.c #1
void __iomem *baseAddr; int i; + if(len < 0 || len > sizeof(moxaBuff)) + return -EINVAL; if(copy_from_user(moxaBuff, tmp, len)) return -EFAULT; baseAddr = moxa_boards[cardno].basemem;
.\cloneFuncs\totalClone\Type-1\CVE-2005-0504_before_1mo_1171100735_moxaloadbios.c
1
2
static int moxaloadbios(int cardno, unsigned char __user *tmp, int len) {
+ show +
3
4
5
6
7
8
void __iomem *baseAddr; int i; if(copy_from_user(moxaBuff, tmp, len)) return -EFAULT; baseAddr = moxa_boards[cardno].basemem;
+ show +
9
10
11
12
13
14
15
16
17
writeb(HW_reset, baseAddr + Control_reg); /* reset */ moxadelay(1); /* delay 10 ms */ for (i = 0; i < 4096; i++) writeb(0, baseAddr + i); /* clear fix page */ for (i = 0; i < len; i++) writeb(moxaBuff[i], baseAddr + i); /* download BIOS */ writeb(0, baseAddr + Control_reg); /* restart */ return (0); }

[linux_CVE-2005-0504_1178609499_moxaloadcode.diff] moxaloadcode_OLD.c #1
void __iomem *baseAddr, *ofsAddr; int retval, port, i; + if(len < 0 || len > sizeof(moxaBuff)) + return -EINVAL; if(copy_from_user(moxaBuff, tmp, len)) return -EFAULT; baseAddr = moxa_boards[cardno].basemem;
.\cloneFuncs\totalClone\Type-1\CVE-2005-0504_before_1mo_1171100735_moxaloadcode.c
1
2
static int moxaloadcode(int cardno, unsigned char __user *tmp, int len) {
+ show +
3
4
5
6
7
8
void __iomem *baseAddr, *ofsAddr; int retval, port, i; if(copy_from_user(moxaBuff, tmp, len)) return -EFAULT; baseAddr = moxa_boards[cardno].basemem;
+ show +
9
10
11
12
13
14
15
16
17
18
switch (moxa_boards[cardno].boardType) { case MOXA_BOARD_C218_ISA: case MOXA_BOARD_C218_PCI: case MOXA_BOARD_CP204J: retval = moxaloadc218(cardno, baseAddr, len); if (retval) return (retval); port = cardno * MAX_PORTS_PER_BOARD; for (i = 0; i < moxa_boards[cardno].numPorts; i++, port++) { struct moxa_port *p = &moxa_ports[port];

[linux_CVE-2005-3358_1136243248_mpol_new.diff] mpol_new_OLD.c #1
switch (mode) { case MPOL_INTERLEAVE: policy->v.nodes = *nodes; + if (nodes_weight(*nodes) == 0) { + kmem_cache_free(policy_cache, policy); + return ERR_PTR(-EINVAL); + } break; case MPOL_PREFERRED: policy->v.preferred_node = first_node(*nodes);
.\cloneFuncs\totalClone\Type-1\CVE-2005-3358_before_1mo_1132637535_mpol_new.c
2
3
4
5
6
7
8
9
10
11
{ struct mempolicy *policy; PDprintk("setting mode %d nodes[0] %lx\n", mode, nodes_addr(*nodes)[0]); if (mode == MPOL_DEFAULT) return NULL; policy = kmem_cache_alloc(policy_cache, GFP_KERNEL); if (!policy) return ERR_PTR(-ENOMEM); atomic_set(&policy->refcnt, 1);
+ show +
12
13
14
15
16
17
switch (mode) { case MPOL_INTERLEAVE: policy->v.nodes = *nodes; break; case MPOL_PREFERRED: policy->v.preferred_node = first_node(*nodes);
+ show +
18
19
20
21
22
23
24
25
26
27
if (policy->v.preferred_node >= MAX_NUMNODES) policy->v.preferred_node = -1; break; case MPOL_BIND: policy->v.zonelist = bind_zonelist(nodes); if (policy->v.zonelist == NULL) { kmem_cache_free(policy_cache, policy); return ERR_PTR(-ENOMEM); } break;

[linux_CVE-2006-0039_1148030212_do_add_counters.diff] do_add_counters_OLD.c #1
write_lock_bh(&t->lock); private = t->private; - if (private->number != paddc->num_counters) { + if (private->number != tmp.num_counters) { ret = -EINVAL; goto unlock_up_free; }
.\cloneFuncs\totalClone\Type-1\CVE-2006-0039_before_1mo_1144734770_do_add_counters.c
22
23
24
25
26
27
28
29
30
31
ret = -EFAULT; goto free; } t = xt_find_table_lock(AF_INET6, tmp.name); if (!t || IS_ERR(t)) { ret = t ? PTR_ERR(t) : -ENOENT; goto free; }
+ show +
32
33
34
35
36
37
write_lock_bh(&t->lock); private = t->private; if (private->number != paddc->num_counters) { ret = -EINVAL; goto unlock_up_free; }
+ show +
38
39
40
41
42
43
44
45
46
47
i = 0; /* Choose the copy that is on our node */ loc_cpu_entry = private->entries[smp_processor_id()]; IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, add_counter_to_entry, paddc->counters, &i); unlock_up_free:
.\cloneFuncs\totalClone\Type-3\CVE-2006-0039_before_1mo_1143592626_do_add_counters.c
21
22
23
24
25
26
27
28
29
30
ret = -EFAULT; goto free; } t = xt_find_table_lock(NF_ARP, tmp.name); if (!t || IS_ERR(t)) { ret = t ? PTR_ERR(t) : -ENOENT; goto free; }
+ show +
31
32
33
34
35
36
write_lock_bh(&t->lock); private = t->private; if (private->number != paddc->num_counters) { ret = -EINVAL; goto unlock_up_free; }
+ show +
37
38
39
40
41
42
43
44
45
46
i = 0; /* Choose the copy that is on our node */ loc_cpu_entry = private->entries[smp_processor_id()]; ARPT_ENTRY_ITERATE(loc_cpu_entry, private->size, add_counter_to_entry, paddc->counters, &i); unlock_up_free:

[linux_CVE-2006-1343_1148881818_getorigdst.diff] getorigdst_OLD.c #1
.tuple.dst.u.tcp.port; sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL] .tuple.dst.u3.ip; + memset(sin.sin_zero, 0, sizeof(sin.sin_zero)); DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n", NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
.\cloneFuncs\totalClone\Type-1\CVE-2006-1343_before_1mo_1144357789_getorigdst.c
25
26
27
28
29
30
31
32
33
34
return -EINVAL; } h = nf_conntrack_find_get(&tuple, NULL); if (h) { struct sockaddr_in sin; struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); sin.sin_family = AF_INET; sin.sin_port = ct->tuplehash[IP_CT_DIR_ORIGINAL]
+ show +
35
36
37
38
39
40
.tuple.dst.u.tcp.port; sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL] .tuple.dst.u3.ip; DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n", NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
+ show +
41
42
43
44
45
46
47
48
49
50
nf_ct_put(ct); if (copy_to_user(user, &sin, sizeof(sin)) != 0) return -EFAULT; else return 0; } DEBUGP("SO_ORIGINAL_DST: Can't find %u.%u.%u.%u/%u-%u.%u.%u.%u/%u.\n", NIPQUAD(tuple.src.u3.ip), ntohs(tuple.src.u.tcp.port), NIPQUAD(tuple.dst.u3.ip), ntohs(tuple.dst.u.tcp.port)); return -ENOENT;

[linux_CVE-2006-1524_1145310392_madvise_remove.diff] madvise_remove_OLD.c #1
return -EINVAL; } + if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE)) + return -EACCES; + mapping = vma->vm_file->f_mapping; offset = (loff_t)(start - vma->vm_start)
.\cloneFuncs\totalClone\Type-1\CVE-2006-1524_before_1mo_1136535038_madvise_remove.c
2
3
4
5
6
7
8
9
10
11
unsigned long start, unsigned long end) { struct address_space *mapping; loff_t offset, endoff; if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) return -EINVAL; if (!vma->vm_file || !vma->vm_file->f_mapping || !vma->vm_file->f_mapping->host) {
+ show +
12
13
14
15
16
17
return -EINVAL; } mapping = vma->vm_file->f_mapping; offset = (loff_t)(start - vma->vm_start)
+ show +
18
19
20
21
22
+ ((loff_t)vma->vm_pgoff << PAGE_SHIFT); endoff = (loff_t)(end - vma->vm_start - 1) + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); return vmtruncate_range(mapping->host, offset, endoff); }

[linux_CVE-2006-1527_1150785585_match_packet.diff] match_packet_OLD.c #1
do { sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); - if (sch == NULL) { + if (sch == NULL || sch->length == 0) { duprintf("Dropping invalid SCTP packet.\n"); *hotdrop = 1; return 0;
.\cloneFuncs\totalClone\Type-1\CVE-2006-1527_before_1mo_1143592626_match_packet.c
11
12
13
14
15
16
17
18
19
20
sctp_chunkhdr_t _sch, *sch; #ifdef DEBUG_SCTP int i = 0; #endif if (chunk_match_type == SCTP_CHUNK_MATCH_ALL) { SCTP_CHUNKMAP_COPY(chunkmapcopy, chunkmap); }
+ show +
21
22
23
24
25
26
do { sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); if (sch == NULL) { duprintf("Dropping invalid SCTP packet.\n"); *hotdrop = 1; return 0;
+ show +
27
28
29
30
31
32
33
34
35
36
} duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", ++i, offset, sch->type, htons(sch->length), sch->flags); offset += (htons(sch->length) + 3) & ~3; duprintf("skb->len: %d\toffset: %d\n", skb->len, offset); if (SCTP_CHUNKMAP_IS_SET(chunkmap, sch->type)) {

[linux_CVE-2006-1864_1147711437_smb_lookup.diff] smb_lookup_OLD.c #1
if (dentry->d_name.len > SMB_MAXNAMELEN) goto out; + /* Do not allow lookup of names with backslashes in */ + error = -EINVAL; + if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) + goto out; + lock_kernel(); error = smb_proc_getattr(dentry, &finfo); #ifdef SMBFS_PARANOIA
.\cloneFuncs\totalClone\Type-1\CVE-2006-1864_before_1mo_1138791879_smb_lookup.c
1
2
3
4
5
6
7
8
9
static struct dentry * smb_lookup(struct inode *dir, struct dentry *dentry, struct nameidata *nd) { struct smb_fattr finfo; struct inode *inode; int error; struct smb_sb_info *server; error = -ENAMETOOLONG;
+ show +
10
11
12
13
14
15
if (dentry->d_name.len > SMB_MAXNAMELEN) goto out; lock_kernel(); error = smb_proc_getattr(dentry, &finfo); #ifdef SMBFS_PARANOIA
+ show +
16
17
18
19
20
21
22
23
24
25
if (error && error != -ENOENT) PARANOIA("find %s/%s failed, error=%d\n", DENTRY_PATH(dentry), error); #endif inode = NULL; if (error == -ENOENT) goto add_entry; if (!error) { error = -EACCES;

[openssl_CVE-2006-2937_1159449644_asn1_d2i_ex_primitive.diff] asn1_d2i_ex_primitive_OLD.c #1
} else if (ret == -1) return -1; + ret = 0; /* SEQUENCE, SET and "OTHER" are left in encoded form */ if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER))
.\cloneFuncs\totalClone\Type-1\CVE-2006-2937_before_imd_1157055037_asn1_d2i_ex_primitive.c
58
59
60
61
62
63
64
65
66
67
aclass = V_ASN1_UNIVERSAL; } p = *in; /* Check header */ ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, &p, inlen, tag, aclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); return 0;
+ show +
68
69
70
71
72
73
} else if (ret == -1) return -1; /* SEQUENCE, SET and "OTHER" are left in encoded form */ if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER))
+ show +
74
75
76
77
78
79
80
81
82
83
{ /* Clear context cache for type OTHER because the auto clear * when we have a exact match wont work */ if (utype == V_ASN1_OTHER) { asn1_tlc_clear(ctx); } /* SEQUENCE and SET must be constructed */ else if (!cst)
.\cloneFuncs\totalClone\Type-3\CVE-2006-2937_before_1mo_1140356687_asn1_d2i_ex_primitive.c
58
59
60
61
62
63
64
65
66
67
aclass = V_ASN1_UNIVERSAL; } p = *in; /* Check header */ ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, &p, inlen, tag, aclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); return 0;
+ show +
68
69
70
71
72
73
} else if (ret == -1) return -1; /* SEQUENCE, SET and "OTHER" are left in encoded form */ if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER))
+ show +
74
75
76
77
78
79
80
81
82
83
{ /* Clear context cache for type OTHER because the auto clear * when we have a exact match wont work */ if (utype == V_ASN1_OTHER) { asn1_tlc_clear(ctx); } /* SEQUENCE and SET must be constructed */ else if (!cst)

[linux_CVE-2006-3745_1156272639_sctp_sendmsg.diff] sctp_sendmsg_OLD.c #1
goto out_unlock; } if (sinfo_flags & SCTP_ABORT) { + struct sctp_chunk *chunk; + + chunk = sctp_make_abort_user(asoc, msg, msg_len); + if (!chunk) { + err = -ENOMEM; + goto out_unlock; + } + SCTP_DEBUG_PRINTK("Aborting association: %p\n", asoc); - sctp_primitive_ABORT(asoc, msg); + sctp_primitive_ABORT(asoc, chunk); err = 0; goto out_unlock; }
.\cloneFuncs\totalClone\Type-1\CVE-2006-3745_before_1mo_1153518347_sctp_sendmsg.c
147
148
149
150
151
152
153
154
155
156
if (sctp_state(asoc, CLOSED) && sctp_style(sk, TCP)) { err = -EPIPE; goto out_unlock; } if (sinfo_flags & SCTP_EOF) { SCTP_DEBUG_PRINTK("Shutting down association: %p\n", asoc); sctp_primitive_SHUTDOWN(asoc, NULL); err = 0;
+ show +
157
158
159
160
161
162
163
164
goto out_unlock; } if (sinfo_flags & SCTP_ABORT) { SCTP_DEBUG_PRINTK("Aborting association: %p\n", asoc); sctp_primitive_ABORT(asoc, msg); err = 0; goto out_unlock; }
+ show +
165
166
167
168
169
170
171
172
173
174
} /* Do we need to create the association? */ if (!asoc) { SCTP_DEBUG_PRINTK("There is no association yet.\n"); if (sinfo_flags & (SCTP_EOF | SCTP_ABORT)) { err = -EINVAL; goto out_unlock; }

[xen_CVE-2007-0998_1175009032_do_key_event.diff] do_key_event_OLD.c #1
kbd_put_keycode(keycode & 0x7f); else kbd_put_keycode(keycode | 0x80); +#ifdef QEMU_VNC_MONITOR_EXPORT } else if (down) { int qemu_keysym = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2007-0998_before_1mo_1167325891_do_key_event.c
22
23
24
25
26
27
28
29
30
31
else if (numlock == -1) { if (vs->numlock) { vs->numlock = 0; press_key(vs, XK_Num_Lock); } } if (keycode & 0x80) kbd_put_keycode(0xe0); if (down)
+ show +
32
33
34
35
36
kbd_put_keycode(keycode & 0x7f); else kbd_put_keycode(keycode | 0x80); } else if (down) { int qemu_keysym = 0;
+ show +
37
38
39
40
41
42
43
44
45
46
if (sym <= 128) { /* normal ascii */ int shifted = vs->shift_keys == 1 || vs->shift_keys == 2; qemu_keysym = sym; if (sym >= 'a' && sym <= 'z' && shifted) qemu_keysym -= 'a' - 'A'; } else { switch (sym) { case XK_Up: qemu_keysym = QEMU_KEY_UP; break; case XK_Down: qemu_keysym = QEMU_KEY_DOWN; break;
.\cloneFuncs\totalClone\Type-3\CVE-2007-0998_before_6mo_1159296607_do_key_event.c
2
3
4
5
6
7
8
9
10
11
{ sym &= 0xFFFF; if (is_graphic_console()) { int keycode; keycode = keysym2scancode(vs->kbd_layout, sym); if (keycode & 0x80) kbd_put_keycode(0xe0); if (down)
+ show +
12
13
14
15
16
kbd_put_keycode(keycode & 0x7f); else kbd_put_keycode(keycode | 0x80); } else if (down) { int qemu_keysym = 0;
+ show +
17
18
19
20
21
22
23
24
25
26
if (sym <= 128) /* normal ascii */ qemu_keysym = sym; else { switch (sym) { case XK_Up: qemu_keysym = QEMU_KEY_UP; break; case XK_Down: qemu_keysym = QEMU_KEY_DOWN; break; case XK_Left: qemu_keysym = QEMU_KEY_LEFT; break; case XK_Right: qemu_keysym = QEMU_KEY_RIGHT; break; case XK_Home: qemu_keysym = QEMU_KEY_HOME; break;

[xen_CVE-2007-0998_1175009032_do_key_event.diff] do_key_event_OLD.c #2
} if (qemu_keysym != 0) kbd_put_keysym(qemu_keysym); +#endif } +#ifdef QEMU_VNC_MONITOR_EXPORT if (down) { switch (sym) { case XK_Control_L:
.\cloneFuncs\totalClone\Type-1\CVE-2007-0998_before_1mo_1167325891_do_key_event.c
49
50
51
52
53
54
55
56
57
58
case XK_Home: qemu_keysym = QEMU_KEY_HOME; break; case XK_End: qemu_keysym = QEMU_KEY_END; break; case XK_Page_Up: qemu_keysym = QEMU_KEY_PAGEUP; break; case XK_Page_Down: qemu_keysym = QEMU_KEY_PAGEDOWN; break; case XK_BackSpace: qemu_keysym = QEMU_KEY_BACKSPACE; break; case XK_Delete: qemu_keysym = QEMU_KEY_DELETE; break; case XK_Return: case XK_Linefeed: qemu_keysym = sym; break; default: break; }
+ show +
59
60
61
62
63
64
65
66
} if (qemu_keysym != 0) kbd_put_keysym(qemu_keysym); } if (down) { switch (sym) { case XK_Control_L:
+ show +
67
68
69
70
71
72
73
74
75
76
vs->ctl_keys |= 1; break; case XK_Alt_L: vs->ctl_keys |= 2; break; case XK_Shift_L: vs->shift_keys |= 1; break;
.\cloneFuncs\totalClone\Type-3\CVE-2007-0998_before_6mo_1159296607_do_key_event.c
26
27
28
29
30
31
32
33
34
35
case XK_Home: qemu_keysym = QEMU_KEY_HOME; break; case XK_End: qemu_keysym = QEMU_KEY_END; break; case XK_Page_Up: qemu_keysym = QEMU_KEY_PAGEUP; break; case XK_Page_Down: qemu_keysym = QEMU_KEY_PAGEDOWN; break; case XK_BackSpace: qemu_keysym = QEMU_KEY_BACKSPACE; break; case XK_Delete: qemu_keysym = QEMU_KEY_DELETE; break; case XK_Return: case XK_Linefeed: qemu_keysym = sym; break; default: break; }
+ show +
36
37
38
39
40
41
42
43
} if (qemu_keysym != 0) kbd_put_keysym(qemu_keysym); } if (down) { switch (sym) { case XK_Control_L:
+ show +
44
45
46
47
48
49
50
51
52
53
vs->ctl_keys |= 1; break; case XK_Alt_L: vs->ctl_keys |= 2; break; default: break; }

[xen_CVE-2007-0998_1175009032_do_key_event.diff] do_key_event_OLD.c #3
break; } } +#else + if (!down && sym == XK_Num_Lock) + vs->numlock = !vs->numlock; +#endif }
.\cloneFuncs\totalClone\Type-1\CVE-2011-1898_before_1mo_1301756167_init_vtd_hw.c
50
51
52
53
54
55
56
57
58
59
int apic; for ( apic = 0; apic < nr_ioapics; apic++ ) { if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL ) { iommu_intremap = 0; dprintk(XENLOG_ERR VTDPREFIX, "ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic));
+ show +
60
61
62
63
break; } } }
+ show +
64
65
66
67
68
69
70
71
72
73
if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n"); break;
.\cloneFuncs\totalClone\Type-1\CVE-2011-1898_before_1mo_1301756167_init_vtd_hw.c
63
64
65
66
67
68
69
70
71
72
} if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n");
+ show +
73
74
75
76
break; } } }
+ show +
77
78
79
80
81
82
83
84
85
86
/* * Set root entries for each VT-d engine. After set root entry, * must globally invalidate context cache, and then globally * invalidate IOTLB */ for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; ret = iommu_set_root_entry(iommu);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_after_imd_1355593562_decode_slice_header.c
614
615
616
617
618
619
620
621
622
623
int k; uint8_t *base = h->ref_list[j][i].f.base[0]; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.base[0] == base) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) { id_list[i] = h->short_ref_count + k;
+ show +
624
625
626
627
break; } } }
+ show +
628
629
630
631
632
633
634
635
636
637
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].f.reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_before_imd_1353879727_decode_slice_header.c
683
684
685
686
687
688
689
690
691
692
int k; uint8_t *base = h->ref_list[j][i].f.base[0]; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.base[0] == base) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) { id_list[i] = h->short_ref_count + k;
+ show +
693
694
695
696
break; } } }
+ show +
697
698
699
700
701
702
703
704
705
706
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].f.reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-1\CVE-2013-6368_before_1mo_1381164480___vcpu_run.c
26
27
28
29
30
31
32
33
34
35
vcpu->arch.pv.pv_unhalted = false; vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE; case KVM_MP_STATE_RUNNABLE: vcpu->arch.apf.halted = false; break; case KVM_MP_STATE_INIT_RECEIVED: break; default: r = -EINTR;
+ show +
36
37
38
39
break; } } }
+ show +
40
41
42
43
44
45
46
47
48
49
if (r <= 0) break; clear_bit(KVM_REQ_PENDING_TIMER, &vcpu->requests); if (kvm_cpu_has_pending_timer(vcpu)) kvm_inject_pending_timer_irqs(vcpu); if (dm_request_for_irq_injection(vcpu)) { r = -EINTR;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3509_after_imd_1406245806_ssl_scan_serverhello_tlsext.c
268
269
270
271
272
273
274
275
276
277
size_t i; custom_cli_ext_record* record; for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++) { record = &s->ctx->custom_cli_ext_records[i]; if (record->ext_type == type) { if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg)) return 0;
+ show +
278
279
280
281
break; } } }
+ show +
282
283
284
285
286
287
288
289
290
291
#ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite */ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } #endif data += size;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3509_before_1mo_1401731720_ssl_scan_serverhello_tlsext.c
265
266
267
268
269
270
271
272
273
274
size_t i; custom_cli_ext_record* record; for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++) { record = &s->ctx->custom_cli_ext_records[i]; if (record->ext_type == type) { if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg)) return 0;
+ show +
275
276
277
278
break; } } }
+ show +
279
280
281
282
283
284
285
286
287
288
#ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite */ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } #endif data += size;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3513_after_imd_1413334435_ssl_add_clienthello_tlsext.c
15
16
17
18
19
20
21
22
23
24
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1;
+ show +
25
26
27
28
break; } } }
+ show +
29
30
31
32
33
34
35
36
37
38
#endif /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) return orig; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-1\CVE-2014-3513_before_imd_1412111429_ssl_add_clienthello_tlsext.c
15
16
17
18
19
20
21
22
23
24
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1;
+ show +
25
26
27
28
break; } } }
+ show +
29
30
31
32
33
34
35
36
37
38
#endif /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) return orig; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-1\CVE-2014-8127_after_1mo_1484150942_TIFFWriteDirectorySec.c
329
330
331
332
333
334
335
336
337
338
assert(o->field_type==TIFF_UNDEFINED); assert(o->field_readcount==TIFF_VARIABLE2); assert(o->field_passcount==1); TIFFGetField(tif,o->field_tag,&pa,&pb); if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) goto bad; } break; default: assert(0); /* we should never get here */
+ show +
339
340
341
342
break; } } }
+ show +
343
344
345
346
347
348
349
350
351
352
} } for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++) { uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag; uint32 count = tif->tif_dir.td_customValues[m].count; switch (tif->tif_dir.td_customValues[m].info->field_type) { case TIFF_ASCII: if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-1\CVE-2014-8127_before_1mo_1450437060_TIFFWriteDirectorySec.c
317
318
319
320
321
322
323
324
325
326
assert(o->field_type==TIFF_UNDEFINED); assert(o->field_readcount==TIFF_VARIABLE2); assert(o->field_passcount==1); TIFFGetField(tif,o->field_tag,&pa,&pb); if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) goto bad; } break; default: assert(0); /* we should never get here */
+ show +
327
328
329
330
break; } } }
+ show +
331
332
333
334
335
336
337
338
339
340
} } for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++) { uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag; uint32 count = tif->tif_dir.td_customValues[m].count; switch (tif->tif_dir.td_customValues[m].info->field_type) { case TIFF_ASCII: if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-1\CVE-2015-1793_after_1mo_1438981770_X509_verify_cert.c
212
213
214
215
216
217
218
219
220
221
* Dump all the certs above this point - we've found an * alternate chain */ while (num > j) { xtmp = sk_X509_pop(ctx->chain); X509_free(xtmp); num--; } ctx->last_untrusted = sk_X509_num(ctx->chain); retry = 1;
+ show +
222
223
224
225
break; } } }
+ show +
226
227
228
229
230
231
232
233
234
235
} while (retry); /* * If not explicitly trusted then indicate error unless it's a single * self signed certificate in which case we've indicated an error already * and set bad_chain == 1 */ if (i != X509_TRUST_TRUSTED && !bad_chain) { if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num)
.\cloneFuncs\totalClone\Type-1\CVE-2015-1793_before_imd_1435157736_X509_verify_cert.c
206
207
208
209
210
211
212
213
214
215
* Dump all the certs above this point - we've found an * alternate chain */ while (num > j) { xtmp = sk_X509_pop(ctx->chain); X509_free(xtmp); num--; } ctx->last_untrusted = sk_X509_num(ctx->chain); retry = 1;
+ show +
216
217
218
219
break; } } }
+ show +
220
221
222
223
224
225
226
227
228
229
} while (retry); /* * If not explicitly trusted then indicate error unless it's a single * self signed certificate in which case we've indicated an error already * and set bad_chain == 1 */ if (i != X509_TRUST_TRUSTED && !bad_chain) { if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num)
.\cloneFuncs\totalClone\Type-1\CVE-2015-3417_after_imd_1432622742_ff_h264_decode_slice_header.c
590
591
592
593
594
595
596
597
598
599
int k; AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
600
601
602
603
break; } } }
+ show +
604
605
606
607
608
609
610
611
612
613
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-1\CVE-2015-3417_before_imd_1431334367_ff_h264_decode_slice_header.c
589
590
591
592
593
594
595
596
597
598
int k; AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
599
600
601
602
break; } } }
+ show +
603
604
605
606
607
608
609
610
611
612
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-1\CVE-2015-8665_after_1mo_1473024775_PickContigCase.c
125
126
127
128
129
130
131
132
133
134
img->put.contig = putcontig8bitYCbCr22tile; break; case 0x21: img->put.contig = putcontig8bitYCbCr21tile; break; case 0x12: img->put.contig = putcontig8bitYCbCr12tile; break; case 0x11: img->put.contig = putcontig8bitYCbCr11tile;
+ show +
135
136
137
138
break; } } }
+ show +
139
140
141
142
143
144
145
146
147
148
break; case PHOTOMETRIC_CIELAB: if (img->samplesperpixel == 3 && buildMap(img)) { if (img->bitspersample == 8) img->put.contig = initCIELabConversion(img); break; } } return ((img->get!=NULL) && (img->put.contig!=NULL)); }
.\cloneFuncs\totalClone\Type-1\CVE-2015-8665_before_1mo_1447878907_PickContigCase.c
121
122
123
124
125
126
127
128
129
130
img->put.contig = putcontig8bitYCbCr22tile; break; case 0x21: img->put.contig = putcontig8bitYCbCr21tile; break; case 0x12: img->put.contig = putcontig8bitYCbCr12tile; break; case 0x11: img->put.contig = putcontig8bitYCbCr11tile;
+ show +
131
132
133
134
break; } } }
+ show +
135
136
137
138
139
140
141
142
143
144
break; case PHOTOMETRIC_CIELAB: if (buildMap(img)) { if (img->bitspersample == 8) img->put.contig = initCIELabConversion(img); break; } } return ((img->get!=NULL) && (img->put.contig!=NULL)); }
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_after_imd_1497264335_TIFFReadDirectory.c
165
166
167
168
169
170
171
172
173
174
case TIFFTAG_PLANARCONFIG: case TIFFTAG_ROWSPERSTRIP: case TIFFTAG_EXTRASAMPLES: if (!TIFFFetchNormalTag(tif,dp,0)) goto bad; dp->tdir_tag=IGNORE; break; default: if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) dp->tdir_tag=IGNORE;
+ show +
175
176
177
178
break; } } }
+ show +
179
180
181
182
183
184
185
186
187
188
} /* * XXX: OJPEG hack. * If a) compression is OJPEG, b) planarconfig tag says it's separate, * c) strip offsets/bytecounts tag are both present and * d) both contain exactly one value, then we consistently find * that the buggy implementation of the buggy compression scheme * matches contig planarconfig best. So we 'fix-up' the tag here */ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_after_imd_1497264335_TIFFReadDirectory.c
635
636
637
638
639
640
641
642
643
644
*/ #if !defined(DEFER_STRILE_LOAD) if (tif->tif_dir.td_nstrips > 1) { uint32 strip; tif->tif_dir.td_stripbytecountsorted = 1; for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) { if (tif->tif_dir.td_stripoffset[strip - 1] > tif->tif_dir.td_stripoffset[strip]) { tif->tif_dir.td_stripbytecountsorted = 0;
+ show +
645
646
647
648
break; } } }
+ show +
649
650
651
652
653
654
655
656
657
658
#endif /* !defined(DEFER_STRILE_LOAD) */ /* * An opportunity for compression mode dependent tag fixup */ (*tif->tif_fixuptags)(tif); /* * Some manufacturers make life difficult by writing * large amounts of uncompressed data as a single strip.
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_before_imd_1493307982_TIFFReadDirectory.c
161
162
163
164
165
166
167
168
169
170
case TIFFTAG_IMAGEDEPTH: case TIFFTAG_TILELENGTH: case TIFFTAG_TILEWIDTH: case TIFFTAG_TILEDEPTH: case TIFFTAG_PLANARCONFIG: case TIFFTAG_ROWSPERSTRIP: case TIFFTAG_EXTRASAMPLES: if (!TIFFFetchNormalTag(tif,dp,0)) goto bad; dp->tdir_tag=IGNORE;
+ show +
171
172
173
174
break; } } }
+ show +
175
176
177
178
179
180
181
182
183
184
} /* * XXX: OJPEG hack. * If a) compression is OJPEG, b) planarconfig tag says it's separate, * c) strip offsets/bytecounts tag are both present and * d) both contain exactly one value, then we consistently find * that the buggy implementation of the buggy compression scheme * matches contig planarconfig best. So we 'fix-up' the tag here */ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_before_imd_1493307982_TIFFReadDirectory.c
631
632
633
634
635
636
637
638
639
640
*/ #if !defined(DEFER_STRILE_LOAD) if (tif->tif_dir.td_nstrips > 1) { uint32 strip; tif->tif_dir.td_stripbytecountsorted = 1; for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) { if (tif->tif_dir.td_stripoffset[strip - 1] > tif->tif_dir.td_stripoffset[strip]) { tif->tif_dir.td_stripbytecountsorted = 0;
+ show +
641
642
643
644
break; } } }
+ show +
645
646
647
648
649
650
651
652
653
654
#endif /* !defined(DEFER_STRILE_LOAD) */ /* * An opportunity for compression mode dependent tag fixup */ (*tif->tif_fixuptags)(tif); /* * Some manufacturers make life difficult by writing * large amounts of uncompressed data as a single strip.
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_after_1mo_1512122530_cvt_by_tile.c
96
97
98
99
100
101
102
103
104
105
/* * Write out the result in a tile. */ if( TIFFWriteEncodedTile( out, TIFFComputeTile( out, col, row, 0, 0), raster, 4 * tile_width * tile_height ) == -1 ) { ok = 0;
+ show +
106
107
108
109
break; } } }
+ show +
110
111
112
113
114
115
_TIFFfree( raster ); _TIFFfree( wrk_line ); return ok; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_before_1mo_1402198621_cvt_by_tile.c
83
84
85
86
87
88
89
90
91
92
/* * Write out the result in a tile. */ if( TIFFWriteEncodedTile( out, TIFFComputeTile( out, col, row, 0, 0), raster, 4 * tile_width * tile_height ) == -1 ) { ok = 0;
+ show +
93
94
95
96
break; } } }
+ show +
97
98
99
100
101
102
_TIFFfree( raster ); _TIFFfree( wrk_line ); return ok; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-6213_after_1mo_1546723558_propagate_umount.c
47
48
49
50
51
52
53
54
55
56
list_add_tail(&child->mnt_umounting, &visited); continue; } /* Check the child and parents while progress is made */ while (__propagate_umount(child, &to_umount, &to_restore)) { /* Is the parent a umount candidate? */ child = child->mnt_parent; if (list_empty(&child->mnt_umounting))
+ show +
57
58
59
60
break; } } }
+ show +
61
62
63
64
65
66
67
68
umount_list(&to_umount, &to_restore); restore_mounts(&to_restore); cleanup_umount_visitations(&visited); list_splice_tail(&to_umount, list); return 0; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-6213_before_imd_1477343773_propagate_umount.c
14
15
16
17
18
19
20
21
22
23
mnt->mnt_mountpoint); if (!child) continue; /* Check the child and parents while progress is made */ while (__propagate_umount(child, &to_umount, &to_restore)) { /* Is the parent a umount candidate? */ child = child->mnt_parent; if (list_empty(&child->mnt_umounting))
+ show +
24
25
26
27
break; } } }
+ show +
28
29
30
31
32
33
34
umount_list(&to_umount, &to_restore); restore_mounts(&to_restore); list_splice_tail(&to_umount, list); return 0; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-7093_before_imd_1472818823_x86_emulate.c
107
108
109
110
111
112
113
114
115
116
b = insn_fetch_type(uint8_t); d = twobyte_table[b]; switch ( b ) { default: ext = ext_0f; break; case 0x38: b = insn_fetch_type(uint8_t); ext = ext_0f38;
+ show +
117
118
119
120
break; } } }
+ show +
121
122
123
124
125
126
127
128
129
130
/* ModRM and SIB bytes. */ if ( d & ModRM ) { modrm = insn_fetch_type(uint8_t); modrm_mod = (modrm & 0xc0) >> 6; if ( !ext && ((b & ~1) == 0xc4) ) switch ( def_ad_bytes ) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12991_before_1mo_1477512990_bgp_attr_print.c
348
349
350
351
352
353
354
355
356
357
} break; default: ND_TCHECK2(tptr[0], tlen); ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi)); if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, tptr, "\n\t ", tlen); tptr += tlen; tlen = 0; goto done;
+ show +
358
359
360
361
break; } } }
+ show +
362
363
364
365
366
367
368
369
370
371
ND_PRINT((ndo, ", nh-length: %u", nhlen)); tptr += tlen; ND_TCHECK(tptr[0]); snpa = tptr[0]; tptr++; if (snpa) { ND_PRINT((ndo, "\n\t %u SNPA", snpa)); for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12994_before_imd_1486412078_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
} break; default: ND_TCHECK2(tptr[0], tlen); ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi)); if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, tptr, "\n\t ", tlen); tptr += tlen; tlen = 0; goto done;
+ show +
359
360
361
362
break; } } }
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen)); tptr += tlen; ND_TCHECK(tptr[0]); snpa = tptr[0]; tptr++; if (snpa) { ND_PRINT((ndo, "\n\t %u SNPA", snpa)); for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13046_after_1mo_1502455142_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
} break; default: ND_TCHECK2(tptr[0], tlen); ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi)); if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, tptr, "\n\t ", tlen); tptr += tlen; tlen = 0; goto done;
+ show +
359
360
361
362
break; } } }
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen)); tptr += tlen; ND_TCHECK(tptr[0]); snpa = tptr[0]; tptr++; if (snpa) { ND_PRINT((ndo, "\n\t %u SNPA", snpa)); for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13046_before_imd_1489136568_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
} break; default: ND_TCHECK2(tptr[0], tlen); ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi)); if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, tptr, "\n\t ", tlen); tptr += tlen; tlen = 0; goto done;
+ show +
359
360
361
362
break; } } }
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen)); tptr += tlen; ND_TCHECK(tptr[0]); snpa = tptr[0]; tptr++; if (snpa) { ND_PRINT((ndo, "\n\t %u SNPA", snpa)); for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-15268_after_1mo_1516290774_vnc_update_client.c
49
50
51
52
53
54
55
56
57
58
bitmap_clear(vs->dirty[y], x, x2 - x); h = find_and_clear_dirty_height(vs, y, x, x2, height); x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT); if (x2 > x) { n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y, (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h); } if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) { y += h; if (y == height) {
+ show +
59
60
61
62
break; } } }
+ show +
63
64
65
66
67
68
69
vs->job_update = vs->update; vs->update = VNC_STATE_UPDATE_NONE; vnc_job_push(job); vs->has_dirty = 0; return n; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-15268_before_imd_1513624344_vnc_update_client.c
49
50
51
52
53
54
55
56
57
58
bitmap_clear(vs->dirty[y], x, x2 - x); h = find_and_clear_dirty_height(vs, y, x, x2, height); x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT); if (x2 > x) { n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y, (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h); } if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) { y += h; if (y == height) {
+ show +
59
60
61
62
break; } } }
+ show +
63
64
65
66
67
68
vnc_job_push(job); vs->update = VNC_STATE_UPDATE_NONE; vs->has_dirty = 0; return n; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-9608_before_imd_1492941237_dnxhd_find_frame_end.c
7
8
9
10
11
12
13
14
15
16
int i = 0; if (!pic_found) { for (i = 0; i < buf_size; i++) { state = (state << 8) | buf[i]; if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { i++; pic_found = 1; dctx->cur_byte = 0; dctx->remaining = 0;
+ show +
17
18
19
20
break; } } }
+ show +
21
22
23
24
25
26
27
28
29
30
if (pic_found && !dctx->remaining) { if (!buf_size) /* EOF considered as end of frame */ return 0; for (; i < buf_size; i++) { dctx->cur_byte++; state = (state << 8) | buf[i]; if (dctx->cur_byte == 24) { dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-1\CVE-2018-10963_before_1mo_1503495222_TIFFWriteDirectorySec.c
329
330
331
332
333
334
335
336
337
338
assert(o->field_type==TIFF_UNDEFINED); assert(o->field_readcount==TIFF_VARIABLE2); assert(o->field_passcount==1); TIFFGetField(tif,o->field_tag,&pa,&pb); if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) goto bad; } break; default: assert(0); /* we should never get here */
+ show +
339
340
341
342
break; } } }
+ show +
343
344
345
346
347
348
349
350
351
352
} } for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++) { uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag; uint32 count = tif->tif_dir.td_customValues[m].count; switch (tif->tif_dir.td_customValues[m].info->field_type) { case TIFF_ASCII: if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-1\CVE-2018-16300_before_imd_1567093481_bgp_attr_print.c
314
315
316
317
318
319
320
321
322
323
break; default: /* * bgp_mp_af_print() should have saved us from * an unsupported AFI/SAFI. */ ND_PRINT("ERROR: no AFI %u/SAFI %u nexthop decoder", af, safi); tptr += tlen; tlen = 0; goto done;
+ show +
324
325
326
327
break; } } }
+ show +
328
329
330
331
332
333
334
335
336
337
ND_PRINT(", nh-length: %u", nhlen); tptr += tlen; ND_TCHECK_1(tptr); snpa = GET_U_1(tptr); tptr++; if (snpa) { ND_PRINT("\n\t %u SNPA", snpa); for (/*nothing*/; snpa != 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2018-3639_after_1mo_1528939102_kvm_get_supported_msrs.c
81
82
83
84
85
86
87
88
89
90
has_msr_hv_frequencies = true; break; case HV_X64_MSR_REENLIGHTENMENT_CONTROL: has_msr_hv_reenlightenment = true; break; case MSR_IA32_SPEC_CTRL: has_msr_spec_ctrl = true; break; case MSR_VIRT_SSBD: has_msr_virt_ssbd = true;
+ show +
91
92
93
94
break; } } }
+ show +
95
96
97
98
99
100
g_free(kvm_msr_list); } return ret; }
.\cloneFuncs\totalClone\Type-1\CVE-2018-3639_before_imd_1523447436_kvm_get_supported_msrs.c
78
79
80
81
82
83
84
85
86
87
has_msr_hv_stimer = true; break; case HV_X64_MSR_TSC_FREQUENCY: has_msr_hv_frequencies = true; break; case HV_X64_MSR_REENLIGHTENMENT_CONTROL: has_msr_hv_reenlightenment = true; break; case MSR_IA32_SPEC_CTRL: has_msr_spec_ctrl = true;
+ show +
88
89
90
91
break; } } }
+ show +
92
93
94
95
96
97
g_free(kvm_msr_list); } return ret; }
.\cloneFuncs\totalClone\Type-2\CVE-2012-2782_after_1mo_1356282605_decode_slice_header.c
614
615
616
617
618
619
620
621
622
623
int k; uint8_t *base = h->ref_list[j][i].f.base[0]; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.base[0] == base) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) { id_list[i] = h->short_ref_count + k;
+ show +
624
625
626
627
break; } } }
+ show +
628
629
630
631
632
633
634
635
636
637
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].f.reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-2\CVE-2013-6368_after_1mo_1390456818___vcpu_run.c
21
22
23
24
25
26
27
28
29
30
vcpu->arch.pv.pv_unhalted = false; vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE; case KVM_MP_STATE_RUNNABLE: vcpu->arch.apf.halted = false; break; case KVM_MP_STATE_INIT_RECEIVED: break; default: r = -EINTR;
+ show +
31
32
33
34
break; } } }
+ show +
35
36
37
38
39
40
41
42
43
44
if (r <= 0) break; clear_bit(KVM_REQ_PENDING_TIMER, &vcpu->requests); if (kvm_cpu_has_pending_timer(vcpu)) kvm_inject_pending_timer_irqs(vcpu); if (dm_request_for_irq_injection(vcpu)) { r = -EINTR;
.\cloneFuncs\totalClone\Type-2\CVE-2014-8127_before_6mo_1448206263_TIFFWriteDirectorySec.c
317
318
319
320
321
322
323
324
325
326
assert(o->field_type==TIFF_UNDEFINED); assert(o->field_readcount==TIFF_VARIABLE2); assert(o->field_passcount==1); TIFFGetField(tif,o->field_tag,&pa,&pb); if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) goto bad; } break; default: assert(0); /* we should never get here */
+ show +
327
328
329
330
break; } } }
+ show +
331
332
333
334
335
336
337
338
339
340
} } for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++) { uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag; uint32 count = tif->tif_dir.td_customValues[m].count; switch (tif->tif_dir.td_customValues[m].info->field_type) { case TIFF_ASCII: if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-2\CVE-2015-1793_before_1mo_1431615408_X509_verify_cert.c
206
207
208
209
210
211
212
213
214
215
* Dump all the certs above this point - we've found an * alternate chain */ while (num > j) { xtmp = sk_X509_pop(ctx->chain); X509_free(xtmp); num--; ctx->last_untrusted--; } retry = 1;
+ show +
216
217
218
219
break; } } }
+ show +
220
221
222
223
224
225
226
227
228
229
} while (retry); /* * If not explicitly trusted then indicate error unless it's a single * self signed certificate in which case we've indicated an error already * and set bad_chain == 1 */ if (i != X509_TRUST_TRUSTED && !bad_chain) { if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num)
.\cloneFuncs\totalClone\Type-2\CVE-2016-3945_after_6mo_1583583716_cvt_by_tile.c
96
97
98
99
100
101
102
103
104
105
/* * Write out the result in a tile. */ if( TIFFWriteEncodedTile( out, TIFFComputeTile( out, col, row, 0, 0), raster, 4 * tile_width * tile_height ) == -1 ) { ok = 0;
+ show +
106
107
108
109
break; } } }
+ show +
110
111
112
113
114
115
_TIFFfree( raster ); _TIFFfree( wrk_line ); return ok; }
.\cloneFuncs\totalClone\Type-2\CVE-2016-7093_after_1mo_1474903296_x86_emulate.c
103
104
105
106
107
108
109
110
111
112
b = insn_fetch_type(uint8_t); d = twobyte_table[b]; switch ( b ) { default: ext = ext_0f; break; case 0x38: b = insn_fetch_type(uint8_t); ext = ext_0f38;
+ show +
113
114
115
116
break; } } }
+ show +
117
118
119
120
121
122
123
124
125
126
/* ModRM and SIB bytes. */ if ( d & ModRM ) { modrm = insn_fetch_type(uint8_t); modrm_mod = (modrm & 0xc0) >> 6; if ( !ext && ((b & ~1) == 0xc4) ) switch ( def_ad_bytes ) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-9608_after_imd_1536385333_dnxhd_find_frame_end.c
7
8
9
10
11
12
13
14
15
16
int i = 0; if (!pic_found) { for (i = 0; i < buf_size; i++) { state = (state << 8) | buf[i]; if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { i++; pic_found = 1; dctx->cur_byte = 0; dctx->remaining = 0;
+ show +
17
18
19
20
break; } } }
+ show +
21
22
23
24
25
26
27
28
29
30
if (pic_found && !dctx->remaining) { if (!buf_size) /* EOF considered as end of frame */ return 0; for (; i < buf_size; i++) { dctx->cur_byte++; state = (state << 8) | buf[i]; if (dctx->cur_byte == 24) { dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_1mo_1308150611_init_vtd_hw.c
50
51
52
53
54
55
56
57
58
59
int apic; for ( apic = 0; apic < nr_ioapics; apic++ ) { if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL ) { iommu_intremap = 0; dprintk(XENLOG_ERR VTDPREFIX, "ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic));
+ show +
60
61
62
63
break; } } }
+ show +
64
65
66
67
68
69
70
71
72
73
if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { iommu_intremap = 0; dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n");
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_1mo_1308150611_init_vtd_hw.c
65
66
67
68
69
70
71
72
73
74
{ for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { iommu_intremap = 0; dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n");
+ show +
75
76
77
78
break; } } }
+ show +
79
80
81
82
83
84
85
86
87
88
/* * Set root entries for each VT-d engine. After set root entry, * must globally invalidate context cache, and then globally * invalidate IOTLB */ for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; ret = iommu_set_root_entry(iommu);
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_6mo_1321364861_init_vtd_hw.c
51
52
53
54
55
56
57
58
59
60
int apic; for ( apic = 0; apic < nr_ioapics; apic++ ) { if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL ) { iommu_intremap = 0; dprintk(XENLOG_ERR VTDPREFIX, "ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic));
+ show +
61
62
63
64
break; } } }
+ show +
65
66
67
68
69
70
71
72
73
74
if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { iommu_intremap = 0; dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n");
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_6mo_1321364861_init_vtd_hw.c
66
67
68
69
70
71
72
73
74
75
{ for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { iommu_intremap = 0; dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n");
+ show +
76
77
78
79
break; } } }
+ show +
80
81
82
83
84
85
86
87
88
89
/* * Set root entries for each VT-d engine. After set root entry, * must globally invalidate context cache, and then globally * invalidate IOTLB */ for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; ret = iommu_set_root_entry(iommu);
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_before_6mo_1288772331_init_vtd_hw.c
52
53
54
55
56
57
58
59
60
61
int apic; for ( apic = 0; apic < nr_ioapics; apic++ ) { if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL ) { iommu_intremap = 0; dprintk(XENLOG_ERR VTDPREFIX, "ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic));
+ show +
62
63
64
65
break; } } }
+ show +
66
67
68
69
70
71
72
73
74
75
if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { dprintk(XENLOG_WARNING VTDPREFIX, "Failed to enable Interrupt Remapping!\n");
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_before_6mo_1288772331_init_vtd_hw.c
66
67
68
69
70
71
72
73
74
75
if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { dprintk(XENLOG_WARNING VTDPREFIX, "Failed to enable Interrupt Remapping!\n");
+ show +
76
77
78
79
break; } } }
+ show +
80
81
82
83
84
85
86
87
88
89
for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; ret = iommu_set_root_entry(iommu); if ( ret ) { dprintk(XENLOG_ERR VTDPREFIX, "IOMMU: set root entry failed\n"); return -EIO; }
.\cloneFuncs\totalClone\Type-3\CVE-2012-2782_after_1mo_1355951034_decode_slice_header.c
623
624
625
626
627
628
629
630
631
632
int k; uint8_t *base = h->ref_list[j][i].f.base[0]; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.base[0] == base) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) { id_list[i] = h->short_ref_count + k;
+ show +
633
634
635
636
break; } } }
+ show +
637
638
639
640
641
642
643
644
645
646
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].f.reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-3\CVE-2012-2782_before_1mo_1343015170_decode_slice_header.c
662
663
664
665
666
667
668
669
670
671
int k; uint8_t *base = h->ref_list[j][i].f.base[0]; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.base[0] == base) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) { id_list[i] = h->short_ref_count + k;
+ show +
672
673
674
675
break; } } }
+ show +
676
677
678
679
680
681
682
683
684
685
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].f.reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-3\CVE-2013-6368_before_6mo_1368141701___vcpu_run.c
25
26
27
28
29
30
31
32
33
34
case KVM_MP_STATE_HALTED: vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE; case KVM_MP_STATE_RUNNABLE: vcpu->arch.apf.halted = false; break; case KVM_MP_STATE_INIT_RECEIVED: break; default: r = -EINTR;
+ show +
35
36
37
38
break; } } }
+ show +
39
40
41
42
43
44
45
46
47
48
if (r <= 0) break; clear_bit(KVM_REQ_PENDING_TIMER, &vcpu->requests); if (kvm_cpu_has_pending_timer(vcpu)) kvm_inject_pending_timer_irqs(vcpu); if (dm_request_for_irq_injection(vcpu)) { r = -EINTR;
.\cloneFuncs\totalClone\Type-3\CVE-2014-3509_before_6mo_1389879991_ssl_scan_serverhello_tlsext.c
266
267
268
269
270
271
272
273
274
275
size_t i; custom_cli_ext_record* record; for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++) { record = &s->ctx->custom_cli_ext_records[i]; if (record->ext_type == type) { if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg)) return 0;
+ show +
276
277
278
279
break; } } }
+ show +
280
281
282
283
284
285
286
287
288
289
#ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite */ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } #endif data += size;
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_after_1mo_1415662184_ssl_add_clienthello_tlsext.c
15
16
17
18
19
20
21
22
23
24
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1;
+ show +
25
26
27
28
break; } } }
+ show +
29
30
31
32
33
34
35
36
37
38
#endif /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) return orig; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_1mo_1408209386_ssl_add_clienthello_tlsext.c
15
16
17
18
19
20
21
22
23
24
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1;
+ show +
25
26
27
28
break; } } }
+ show +
29
30
31
32
33
34
35
36
37
38
#endif /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) return orig; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_6mo_1396741866_ssl_add_clienthello_tlsext.c
14
15
16
17
18
19
20
21
22
23
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1;
+ show +
24
25
26
27
break; } } }
+ show +
28
29
30
31
32
33
34
35
36
37
#endif /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) return p; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_after_1mo_1430903575_ff_h264_decode_slice_header.c
593
594
595
596
597
598
599
600
601
602
int k; AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
603
604
605
606
break; } } }
+ show +
607
608
609
610
611
612
613
614
615
616
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_after_1mo_1435423097_ff_h264_decode_slice_header.c
706
707
708
709
710
711
712
713
714
715
int k; AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
716
717
718
719
break; } } }
+ show +
720
721
722
723
724
725
726
727
728
729
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_after_6mo_1448902308_ff_h264_decode_slice_header.c
613
614
615
616
617
618
619
620
621
622
int k; AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
623
624
625
626
break; } } }
+ show +
627
628
629
630
631
632
633
634
635
636
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_after_imd_1433014380_ff_h264_decode_slice_header.c
703
704
705
706
707
708
709
710
711
712
int k; AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
713
714
715
716
break; } } }
+ show +
717
718
719
720
721
722
723
724
725
726
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_before_1mo_1426496256_ff_h264_decode_slice_header.c
580
581
582
583
584
585
586
587
588
589
int k; AVBuffer *buf = sl->ref_list[j][i].parent->f.buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
590
591
592
593
break; } } }
+ show +
594
595
596
597
598
599
600
601
602
603
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_after_1mo_1500124796_TIFFReadDirectory.c
165
166
167
168
169
170
171
172
173
174
case TIFFTAG_PLANARCONFIG: case TIFFTAG_ROWSPERSTRIP: case TIFFTAG_EXTRASAMPLES: if (!TIFFFetchNormalTag(tif,dp,0)) goto bad; dp->tdir_tag=IGNORE; break; default: if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) dp->tdir_tag=IGNORE;
+ show +
175
176
177
178
break; } } }
+ show +
179
180
181
182
183
184
185
186
187
188
} /* * XXX: OJPEG hack. * If a) compression is OJPEG, b) planarconfig tag says it's separate, * c) strip offsets/bytecounts tag are both present and * d) both contain exactly one value, then we consistently find * that the buggy implementation of the buggy compression scheme * matches contig planarconfig best. So we 'fix-up' the tag here */ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_after_1mo_1500124796_TIFFReadDirectory.c
637
638
639
640
641
642
643
644
645
646
*/ #if !defined(DEFER_STRILE_LOAD) if (tif->tif_dir.td_nstrips > 1) { uint32 strip; tif->tif_dir.td_stripbytecountsorted = 1; for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) { if (tif->tif_dir.td_stripoffset[strip - 1] > tif->tif_dir.td_stripoffset[strip]) { tif->tif_dir.td_stripbytecountsorted = 0;
+ show +
647
648
649
650
break; } } }
+ show +
651
652
653
654
655
656
657
658
659
660
#endif /* !defined(DEFER_STRILE_LOAD) */ /* * An opportunity for compression mode dependent tag fixup */ (*tif->tif_fixuptags)(tif); /* * Some manufacturers make life difficult by writing * large amounts of uncompressed data as a single strip.
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_before_1mo_1484150942_TIFFReadDirectory.c
161
162
163
164
165
166
167
168
169
170
case TIFFTAG_IMAGEDEPTH: case TIFFTAG_TILELENGTH: case TIFFTAG_TILEWIDTH: case TIFFTAG_TILEDEPTH: case TIFFTAG_PLANARCONFIG: case TIFFTAG_ROWSPERSTRIP: case TIFFTAG_EXTRASAMPLES: if (!TIFFFetchNormalTag(tif,dp,0)) goto bad; dp->tdir_tag=IGNORE;
+ show +
171
172
173
174
break; } } }
+ show +
175
176
177
178
179
180
181
182
183
184
} /* * XXX: OJPEG hack. * If a) compression is OJPEG, b) planarconfig tag says it's separate, * c) strip offsets/bytecounts tag are both present and * d) both contain exactly one value, then we consistently find * that the buggy implementation of the buggy compression scheme * matches contig planarconfig best. So we 'fix-up' the tag here */ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_before_1mo_1484150942_TIFFReadDirectory.c
615
616
617
618
619
620
621
622
623
624
*/ #if !defined(DEFER_STRILE_LOAD) if (tif->tif_dir.td_nstrips > 1) { uint32 strip; tif->tif_dir.td_stripbytecountsorted = 1; for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) { if (tif->tif_dir.td_stripoffset[strip - 1] > tif->tif_dir.td_stripoffset[strip]) { tif->tif_dir.td_stripbytecountsorted = 0;
+ show +
625
626
627
628
break; } } }
+ show +
629
630
631
632
633
634
635
636
637
638
#endif /* !defined(DEFER_STRILE_LOAD) */ /* * An opportunity for compression mode dependent tag fixup */ (*tif->tif_fixuptags)(tif); /* * Some manufacturers make life difficult by writing * large amounts of uncompressed data as a single strip.
.\cloneFuncs\totalClone\Type-3\CVE-2017-12991_after_imd_1486498087_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
} break; default: ND_TCHECK2(tptr[0], tlen); ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi)); if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, tptr, "\n\t ", tlen); tptr += tlen; tlen = 0; goto done;
+ show +
359
360
361
362
break; } } }
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen)); tptr += tlen; ND_TCHECK(tptr[0]); snpa = tptr[0]; tptr++; if (snpa) { ND_PRINT((ndo, "\n\t %u SNPA", snpa)); for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-3\CVE-2017-12991_before_6mo_1468230214_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
} break; default: ND_TCHECK2(tptr[0], tlen); ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi)); if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, tptr, "\n\t ", tlen); tptr += tlen; tlen = 0; goto done;
+ show +
359
360
361
362
break; } } }
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen)); tptr += tlen; ND_TCHECK(tptr[0]); snpa = tptr[0]; tptr++; if (snpa) { ND_PRINT((ndo, "\n\t %u SNPA", snpa)); for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-3\CVE-2017-9608_after_1mo_1562399506_dnxhd_find_frame_end.c
7
8
9
10
11
12
13
14
15
16
int i = 0; if (!pic_found) { for (i = 0; i < buf_size; i++) { state = (state << 8) | buf[i]; if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { i++; pic_found = 1; dctx->cur_byte = 0; dctx->remaining = 0;
+ show +
17
18
19
20
break; } } }
+ show +
21
22
23
24
25
26
27
28
29
30
if (pic_found && !dctx->remaining) { if (!buf_size) /* EOF considered as end of frame */ return 0; for (; i < buf_size; i++) { dctx->cur_byte++; state = (state << 8) | buf[i]; if (dctx->cur_byte == 24) { dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-3\CVE-2017-9608_after_6mo_1562399570_dnxhd_find_frame_end.c
7
8
9
10
11
12
13
14
15
16
int i = 0; if (!pic_found) { for (i = 0; i < buf_size; i++) { state = (state << 8) | buf[i]; if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { i++; pic_found = 1; dctx->cur_byte = 0; dctx->remaining = 0;
+ show +
17
18
19
20
break; } } }
+ show +
21
22
23
24
25
26
27
28
29
30
if (pic_found && !dctx->remaining) { if (!buf_size) /* EOF considered as end of frame */ return 0; for (; i < buf_size; i++) { dctx->cur_byte++; state = (state << 8) | buf[i]; if (dctx->cur_byte == 24) { dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-3\CVE-2017-9608_after_6mo_1562399570_dnxhd_find_frame_end.c
48
49
50
51
52
53
54
55
56
57
pc->frame_start_found = 0; pc->state64 = -1; dctx->cur_byte = 0; dctx->remaining = 0; return remaining; } else { dctx->remaining -= buf_size; // Update variables for correctness, they are currently not used beyond here state = -1; dctx->cur_byte += buf_size - i;
+ show +
58
59
60
61
break; } } }
+ show +
62
63
64
65
66
67
68
69
70
71
} else if (pic_found) { if (dctx->remaining > buf_size) { dctx->remaining -= buf_size; } else { int remaining = dctx->remaining; pc->frame_start_found = 0; pc->state64 = -1; dctx->cur_byte = 0; dctx->remaining = 0;
.\cloneFuncs\totalClone\Type-3\CVE-2017-9608_before_1mo_1492178947_dnxhd_find_frame_end.c
11
12
13
14
15
16
17
18
19
20
if (!pic_found) { for (i = 0; i < buf_size; i++) { state = (state << 8) | buf[i]; if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { i++; pic_found = 1; interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */ cur_field = state&1; dctx->cur_byte = 0; dctx->remaining = 0;
+ show +
21
22
23
24
break; } } }
+ show +
25
26
27
28
29
30
31
32
33
34
if (pic_found && !dctx->remaining) { if (!buf_size) /* EOF considered as end of frame */ return 0; for (; i < buf_size; i++) { dctx->cur_byte++; state = (state << 8) | buf[i]; if (dctx->cur_byte == 24) { dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-3\CVE-2018-16300_after_1mo_1579492538_bgp_attr_print.c
339
340
341
342
343
344
345
346
347
348
default: /* * bgp_mp_af_print() should have saved us from * an unsupported AFI/SAFI. */ ND_PRINT("ERROR: no AFI %u/SAFI %u nexthop decoder", af, safi); tptr += tnhlen; tlen -= tnhlen; tnhlen = 0; goto done;
+ show +
349
350
351
352
break; } } }
+ show +
353
354
355
356
357
358
359
360
361
362
ND_PRINT(", nh-length: %u", nhlen); /* As per RFC 2858; this is reserved in RFC 4760 */ if (tlen < 1) goto trunc; ND_TCHECK_1(tptr); snpa = GET_U_1(tptr); tptr++; tlen--;
.\cloneFuncs\totalClone\Type-3\CVE-2018-16300_after_imd_1573430179_bgp_attr_print.c
339
340
341
342
343
344
345
346
347
348
default: /* * bgp_mp_af_print() should have saved us from * an unsupported AFI/SAFI. */ ND_PRINT("ERROR: no AFI %u/SAFI %u nexthop decoder", af, safi); tptr += tnhlen; tlen -= tnhlen; tnhlen = 0; goto done;
+ show +
349
350
351
352
break; } } }
+ show +
353
354
355
356
357
358
359
360
361
362
ND_PRINT(", nh-length: %u", nhlen); /* As per RFC 2858; this is reserved in RFC 4760 */ if (tlen < 1) goto trunc; ND_TCHECK_1(tptr); snpa = GET_U_1(tptr); tptr++; tlen--;
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_after_6mo_1543205848_kvm_get_supported_msrs.c
84
85
86
87
88
89
90
91
92
93
has_msr_hv_reenlightenment = true; break; case MSR_IA32_SPEC_CTRL: has_msr_spec_ctrl = true; break; case MSR_VIRT_SSBD: has_msr_virt_ssbd = true; break; case MSR_IA32_ARCH_CAPABILITIES: has_msr_arch_capabs = true;
+ show +
94
95
96
97
break; } } }
+ show +
98
99
100
101
102
103
g_free(kvm_msr_list); } return ret; }
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_before_1mo_1522429329_kvm_get_supported_msrs.c
75
76
77
78
79
80
81
82
83
84
has_msr_hv_synic = true; break; case HV_X64_MSR_STIMER0_CONFIG: has_msr_hv_stimer = true; break; case HV_X64_MSR_TSC_FREQUENCY: has_msr_hv_frequencies = true; break; case MSR_IA32_SPEC_CTRL: has_msr_spec_ctrl = true;
+ show +
85
86
87
88
break; } } }
+ show +
89
90
91
92
93
94
g_free(kvm_msr_list); } return ret; }
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_before_6mo_1499976921_kvm_get_supported_msrs.c
69
70
71
72
73
74
75
76
77
78
has_msr_hv_runtime = true; break; case HV_X64_MSR_SCONTROL: has_msr_hv_synic = true; break; case HV_X64_MSR_STIMER0_CONFIG: has_msr_hv_stimer = true; break; case HV_X64_MSR_TSC_FREQUENCY: has_msr_hv_frequencies = true;
+ show +
79
80
81
82
break; } } }
+ show +
83
84
85
86
87
88
g_free(kvm_msr_list); } return ret; }
.\cloneFuncs\totalClone\Type-4\CVE-2012-2782_after_6mo_1362392468_decode_slice_header.c
611
612
613
614
615
616
617
618
619
620
int k; uint8_t *base = h->ref_list[j][i].f.base[0]; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.base[0] == base) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) { id_list[i] = h->short_ref_count + k;
+ show +
621
622
623
624
break; } } }
+ show +
625
626
627
628
629
630
631
632
633
634
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].f.reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-4\CVE-2012-2782_after_6mo_1362608829_decode_slice_header.c
639
640
641
642
643
644
645
646
647
648
int k; uint8_t *base = h->ref_list[j][i].f.base[0]; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.base[0] == base) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) { id_list[i] = h->short_ref_count + k;
+ show +
649
650
651
652
break; } } }
+ show +
653
654
655
656
657
658
659
660
661
662
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].f.reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-4\CVE-2014-3513_after_6mo_1429163403_ssl_add_clienthello_tlsext.c
13
14
15
16
17
18
19
20
21
22
STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1;
+ show +
23
24
25
26
break; } } }
+ show +
27
28
29
30
31
32
33
34
35
36
# endif ret += 2; if (ret >= limit) return NULL; /* this really never occurs, but ... */ /* Add RI if renegotiating */ if (s->renegotiate) { int el;
.\cloneFuncs\totalClone\Type-4\CVE-2015-0285_before_6mo_1406414860_ssl3_client_hello.c
69
70
71
72
73
74
75
76
77
78
* required to use same upon reply to HelloVerify */ if (SSL_IS_DTLS(s)) { size_t idx; i = 1; for (idx=0; idx < sizeof(s->s3->client_random); idx++) { if (p[idx]) { i = 0;
+ show +
79
80
81
82
break; } } }
+ show +
83
84
85
86
87
88
89
90
91
92
else i = 1; if (i) ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)); /* Do the message type and length last */ d=p= ssl_handshake_start(s);
.\cloneFuncs\totalClone\Type-4\CVE-2015-3417_after_6mo_1448399557_ff_h264_decode_slice_header.c
757
758
759
760
761
762
763
764
765
766
int k; AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
767
768
769
770
break; } } }
+ show +
771
772
773
774
775
776
777
778
779
780
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-4\CVE-2015-3417_before_6mo_1396608464_ff_h264_decode_slice_header.c
582
583
584
585
586
587
588
589
590
591
int k; AVBuffer *buf = h->ref_list[j][i].f.buf[0]->buffer; for (k = 0; k < h->short_ref_count; k++) if (h->short_ref[k]->f.buf[0]->buffer == buf) { id_list[i] = k; break; } for (k = 0; k < h->long_ref_count; k++) if (h->long_ref[k] && h->long_ref[k]->f.buf[0]->buffer == buf) { id_list[i] = h->short_ref_count + k;
+ show +
592
593
594
595
break; } } }
+ show +
596
597
598
599
600
601
602
603
604
605
ref2frm[0] = ref2frm[1] = -1; for (i = 0; i < 16; i++) ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].reference & 3); ref2frm[18 + 0] = ref2frm[18 + 1] = -1; for (i = 16; i < 48; i++) ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] + (h->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-4\CVE-2017-13046_after_6mo_1517362173_bgp_attr_print.c
359
360
361
362
363
364
365
366
367
368
} break; default: ND_TCHECK_LEN(tptr, tlen); ND_PRINT("no AFI %u/SAFI %u decoder", af, safi); if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, tptr, "\n\t ", tlen); tptr += tlen; tlen = 0; goto done;
+ show +
369
370
371
372
break; } } }
+ show +
373
374
375
376
377
378
379
380
381
382
ND_PRINT(", nh-length: %u", nhlen); tptr += tlen; ND_TCHECK_1(tptr); snpa = EXTRACT_U_1(tptr); tptr++; if (snpa) { ND_PRINT("\n\t %u SNPA", snpa); for (/*nothing*/; snpa != 0; snpa--) {
.\cloneFuncs\totalClone\Type-4\CVE-2017-15268_before_1mo_1505229707_vnc_update_client.c
49
50
51
52
53
54
55
56
57
58
bitmap_clear(vs->dirty[y], x, x2 - x); h = find_and_clear_dirty_height(vs, y, x, x2, height); x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT); if (x2 > x) { n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y, (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h); } if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) { y += h; if (y == height) {
+ show +
59
60
61
62
break; } } }
+ show +
63
64
65
66
67
68
69
70
71
72
vnc_job_push(job); if (sync) { vnc_jobs_join(vs); } vs->force_update = 0; vs->has_dirty = 0; return n; }
.\cloneFuncs\totalClone\Type-4\CVE-2017-9608_before_6mo_1455428672_dnxhd_find_frame_end.c
9
10
11
12
13
14
15
16
17
18
int cur_field = dctx->cur_field; if (!pic_found) { for (i = 0; i < buf_size; i++) { state = (state << 8) | buf[i]; if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { i++; pic_found = 1; interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */ cur_field = state&1;
+ show +
19
20
21
22
break; } } }
+ show +
23
24
25
26
27
28
29
30
31
32
if (pic_found) { if (!buf_size) /* EOF considered as end of frame */ return 0; for (; i < buf_size; i++) { state = (state << 8) | buf[i]; if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { if (!interlaced || dctx->cur_field) { pc->frame_start_found = 0; pc->state64 = -1;
.\cloneFuncs\totalClone\Type-4\CVE-2018-8897_after_6mo_1519235653_do_debug.c
86
87
88
89
90
91
92
93
94
95
if ( (dr6 & (1u << bp)) && /* Breakpoint triggered? */ (dr7 & (3u << (bp * DR_ENABLE_SIZE))) && /* Enabled? */ ((dr7 & (3u << ((bp * DR_CONTROL_SIZE) + /* Insn? */ DR_CONTROL_SHIFT))) == DR_RW_EXECUTE) ) { ASSERT_UNREACHABLE(); printk(XENLOG_ERR "Hit instruction breakpoint in Xen context\n"); write_debugreg(7, 0);
+ show +
96
97
98
99
break; } } }
+ show +
100
101
102
103
104
105
106
107
108
109
/* * Whatever caused this #DB should be restartable by this point. Note * it and continue. Guests can trigger this in certain corner cases, * so ensure the message is ratelimited. */ gprintk(XENLOG_WARNING, "Hit #DB in Xen context: %04x:%p [%ps], stk %04x:%p, dr6 %lx\n", regs->cs, _p(regs->rip), _p(regs->rip), regs->ss, _p(regs->rsp), dr6);

[qemu_CVE-2007-1320_1210022791_cirrus_bitblt_common_patterncopy.diff] cirrus_bitblt_common_patterncopy_OLD.c #1
{ uint8_t *dst; - dst = s->vram_ptr + s->cirrus_blt_dstaddr; + dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + + if (BLTUNSAFE(s)) + return 0; + (*s->cirrus_rop) (s, dst, src, s->cirrus_blt_dstpitch, 0, s->cirrus_blt_width, s->cirrus_blt_height);
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_bitblt_common_patterncopy.c
1
2
static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, const uint8_t * src)
+ show +
3
4
5
6
7
8
9
{ uint8_t *dst; dst = s->vram_ptr + s->cirrus_blt_dstaddr; (*s->cirrus_rop) (s, dst, src, s->cirrus_blt_dstpitch, 0, s->cirrus_blt_width, s->cirrus_blt_height);
+ show +
10
11
12
13
14
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, s->cirrus_blt_dstpitch, s->cirrus_blt_width, s->cirrus_blt_height); return 1; }

[qemu_CVE-2007-1320_1210022791_cirrus_bitblt_cputovideo_next.diff] cirrus_bitblt_cputovideo_next_OLD.c #1
} else { /* at least one scan line */ do { - (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr, - s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); + (*s->cirrus_rop)(s, s->vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0, s->cirrus_blt_width, 1); s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_bitblt_cputovideo_next.c
2
3
4
5
6
7
8
9
10
11
{ int copy_count; uint8_t *end_ptr; if (s->cirrus_srccounter > 0) { if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) { cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf); the_end: s->cirrus_srccounter = 0; cirrus_bitblt_reset(s);
+ show +
12
13
14
15
16
17
18
19
} else { /* at least one scan line */ do { (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr, s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0, s->cirrus_blt_width, 1); s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
+ show +
20
21
22
23
24
25
26
27
28
29
s->cirrus_srccounter -= s->cirrus_blt_srcpitch; if (s->cirrus_srccounter <= 0) goto the_end; /* more bytes than needed can be transfered because of word alignment, so we keep them for the next line */ /* XXX: keep alignment to speed up transfer */ end_ptr = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; copy_count = s->cirrus_srcptr_end - end_ptr; memmove(s->cirrus_bltbuf, end_ptr, copy_count); s->cirrus_srcptr = s->cirrus_bltbuf + copy_count;

[qemu_CVE-2007-1320_1210022791_cirrus_bitblt_videotovideo_copy.diff] cirrus_bitblt_videotovideo_copy_OLD.c #1
s->cirrus_blt_srcaddr - s->start_addr, s->cirrus_blt_width, s->cirrus_blt_height); } else { - (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr, - s->vram_ptr + s->cirrus_blt_srcaddr, + + if (BLTUNSAFE(s)) + return 0; + + (*s->cirrus_rop) (s, s->vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vram_ptr + + (s->cirrus_blt_srcaddr & s->cirrus_addr_mask), s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height);
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_bitblt_videotovideo_copy.c
1
2
3
4
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) { if (s->ds->dpy_copy) { cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
+ show +
5
6
7
8
9
10
11
s->cirrus_blt_srcaddr - s->start_addr, s->cirrus_blt_width, s->cirrus_blt_height); } else { (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr, s->vram_ptr + s->cirrus_blt_srcaddr, s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height);
+ show +
12
13
14
15
16
17
18
19
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, s->cirrus_blt_dstpitch, s->cirrus_blt_width, s->cirrus_blt_height); } return 1; }

[qemu_CVE-2007-1320_1210022791_cirrus_do_copy.diff] cirrus_do_copy_OLD.c #1
if (notify) vga_hw_update(); - (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr, - s->vram_ptr + s->cirrus_blt_srcaddr, + (*s->cirrus_rop) (s, s->vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vram_ptr + + (s->cirrus_blt_srcaddr & s->cirrus_addr_mask), s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height);
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_do_copy.c
35
36
37
38
39
40
41
42
43
44
notify = 1; } /* make to sure only copy if it's a plain copy ROP */ if (*s->cirrus_rop != cirrus_bitblt_rop_fwd_src && *s->cirrus_rop != cirrus_bitblt_rop_bkwd_src) notify = 0; /* we have to flush all pending changes so that the copy is generated at the appropriate moment in time */
+ show +
45
46
47
48
49
50
51
if (notify) vga_hw_update(); (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr, s->vram_ptr + s->cirrus_blt_srcaddr, s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height);
+ show +
52
53
54
55
56
57
58
59
60
61
if (notify) s->ds->dpy_copy(s->ds, sx, sy, dx, dy, s->cirrus_blt_width / depth, s->cirrus_blt_height); /* we don't have to notify the display that this portion has changed since dpy_copy implies this */

[qemu_CVE-2007-1320_1210022791_cirrus_invalidate_region.diff] cirrus_invalidate_region_OLD.c #1
for (y = 0; y < lines; y++) { off_cur = off_begin; - off_cur_end = off_cur + bytesperline; + off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask; off_cur &= TARGET_PAGE_MASK; while (off_cur < off_cur_end) { cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_invalidate_region.c
1
2
3
4
5
6
7
8
static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, int off_pitch, int bytesperline, int lines) { int y; int off_cur; int off_cur_end;
+ show +
9
10
11
12
13
14
for (y = 0; y < lines; y++) { off_cur = off_begin; off_cur_end = off_cur + bytesperline; off_cur &= TARGET_PAGE_MASK; while (off_cur < off_cur_end) { cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
+ show +
15
16
17
18
19
off_cur += TARGET_PAGE_SIZE; } off_begin += off_pitch; } }

[qemu_CVE-2007-1320_1210022791_cirrus_mem_writeb_mode4and5_16bpp.diff] cirrus_mem_writeb_mode4and5_16bpp_OLD.c #1
unsigned val = mem_value; uint8_t *dst; - dst = s->vram_ptr + offset; + dst = s->vram_ptr + (offset &= s->cirrus_addr_mask); for (x = 0; x < 8; x++) { if (val & 0x80) { *dst = s->cirrus_shadow_gr1;
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_mem_writeb_mode4and5_16bpp.c
1
2
3
4
5
6
static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, unsigned mode, unsigned offset, uint32_t mem_value) { int x;
+ show +
7
8
9
10
11
12
13
unsigned val = mem_value; uint8_t *dst; dst = s->vram_ptr + offset; for (x = 0; x < 8; x++) { if (val & 0x80) { *dst = s->cirrus_shadow_gr1;
+ show +
14
15
16
17
18
19
20
21
22
23
*(dst + 1) = s->gr[0x11]; } else if (mode == 5) { *dst = s->cirrus_shadow_gr0; *(dst + 1) = s->gr[0x10]; } val <<= 1; dst += 2; } cpu_physical_memory_set_dirty(s->vram_offset + offset); cpu_physical_memory_set_dirty(s->vram_offset + offset + 15);
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_mem_writeb_mode4and5_8bpp.c
1
2
3
4
5
6
static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s, unsigned mode, unsigned offset, uint32_t mem_value) { int x;
+ show +
7
8
9
10
11
12
13
unsigned val = mem_value; uint8_t *dst; dst = s->vram_ptr + offset; for (x = 0; x < 8; x++) { if (val & 0x80) { *dst = s->cirrus_shadow_gr1;
+ show +
14
15
16
17
18
19
20
21
22
} else if (mode == 5) { *dst = s->cirrus_shadow_gr0; } val <<= 1; dst++; } cpu_physical_memory_set_dirty(s->vram_offset + offset); cpu_physical_memory_set_dirty(s->vram_offset + offset + 7); }

[qemu_CVE-2007-1320_1210022791_cirrus_mem_writeb_mode4and5_8bpp.diff] cirrus_mem_writeb_mode4and5_8bpp_OLD.c #1
unsigned val = mem_value; uint8_t *dst; - dst = s->vram_ptr + offset; + dst = s->vram_ptr + (offset &= s->cirrus_addr_mask); for (x = 0; x < 8; x++) { if (val & 0x80) { *dst = s->cirrus_shadow_gr1;
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_mem_writeb_mode4and5_16bpp.c
1
2
3
4
5
6
static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, unsigned mode, unsigned offset, uint32_t mem_value) { int x;
+ show +
7
8
9
10
11
12
13
unsigned val = mem_value; uint8_t *dst; dst = s->vram_ptr + offset; for (x = 0; x < 8; x++) { if (val & 0x80) { *dst = s->cirrus_shadow_gr1;
+ show +
14
15
16
17
18
19
20
21
22
23
*(dst + 1) = s->gr[0x11]; } else if (mode == 5) { *dst = s->cirrus_shadow_gr0; *(dst + 1) = s->gr[0x10]; } val <<= 1; dst += 2; } cpu_physical_memory_set_dirty(s->vram_offset + offset); cpu_physical_memory_set_dirty(s->vram_offset + offset + 15);
.\cloneFuncs\totalClone\Type-1\CVE-2007-1320_before_1mo_1197848471_cirrus_mem_writeb_mode4and5_8bpp.c
1
2
3
4
5
6
static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s, unsigned mode, unsigned offset, uint32_t mem_value) { int x;
+ show +
7
8
9
10
11
12
13
unsigned val = mem_value; uint8_t *dst; dst = s->vram_ptr + offset; for (x = 0; x < 8; x++) { if (val & 0x80) { *dst = s->cirrus_shadow_gr1;
+ show +
14
15
16
17
18
19
20
21
22
} else if (mode == 5) { *dst = s->cirrus_shadow_gr0; } val <<= 1; dst++; } cpu_physical_memory_set_dirty(s->vram_offset + offset); cpu_physical_memory_set_dirty(s->vram_offset + offset + 7); }

[qemu_CVE-2007-1322_1228673736_disas_insn.diff] disas_insn_OLD.c #1
gen_jmp_im(pc_start - s->cs_base); gen_helper_into(tcg_const_i32(s->pc - pc_start)); break; +#ifdef WANT_ICEBP case 0xf1: /* icebp (undocumented, exits to external debugger) */ gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP); #if 1
.\cloneFuncs\totalClone\Type-1\CVE-2007-1322_before_imd_1227651237_disas_insn.c
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); } else { gen_interrupt(s, val, pc_start - s->cs_base, s->pc - s->cs_base); } break; case 0xce: /* into */ if (CODE64(s)) goto illegal_op; if (s->cc_op != CC_OP_DYNAMIC) gen_op_set_cc_op(s->cc_op);
+ show +
2609
2610
2611
2612
2613
2614
gen_jmp_im(pc_start - s->cs_base); gen_helper_into(tcg_const_i32(s->pc - pc_start)); break; case 0xf1: /* icebp (undocumented, exits to external debugger) */ gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP); #if 1
+ show +
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
gen_debug(s, pc_start - s->cs_base); #else /* start debug */ tb_flush(cpu_single_env); cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <= s->iopl) {

[qemu_CVE-2007-1322_1228673736_disas_insn.diff] disas_insn_OLD.c #2
cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; +#endif case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <= s->iopl) {
.\cloneFuncs\totalClone\Type-1\CVE-2007-1322_before_imd_1227651237_disas_insn.c
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
gen_jmp_im(pc_start - s->cs_base); gen_helper_into(tcg_const_i32(s->pc - pc_start)); break; case 0xf1: /* icebp (undocumented, exits to external debugger) */ gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP); #if 1 gen_debug(s, pc_start - s->cs_base); #else /* start debug */ tb_flush(cpu_single_env);
+ show +
2619
2620
2621
2622
2623
2624
cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <= s->iopl) {
+ show +
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
gen_helper_cli(); } else { gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); } } else { if (s->iopl == 3) { gen_helper_cli(); } else { gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); }
.\cloneFuncs\totalClone\Type-3\CVE-2007-1322_before_1mo_1223120032_disas_insn.c
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
gen_jmp_im(pc_start - s->cs_base); tcg_gen_helper_0_1(helper_into, tcg_const_i32(s->pc - pc_start)); break; case 0xf1: /* icebp (undocumented, exits to external debugger) */ gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP); #if 1 gen_debug(s, pc_start - s->cs_base); #else /* start debug */ tb_flush(cpu_single_env);
+ show +
2628
2629
2630
2631
2632
2633
cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <= s->iopl) {
+ show +
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
tcg_gen_helper_0_0(helper_cli); } else { gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); } } else { if (s->iopl == 3) { tcg_gen_helper_0_0(helper_cli); } else { gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); }
.\cloneFuncs\totalClone\Type-3\CVE-2007-1322_before_6mo_1212756870_disas_insn.c
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
gen_jmp_im(pc_start - s->cs_base); tcg_gen_helper_0_1(helper_into, tcg_const_i32(s->pc - pc_start)); break; case 0xf1: /* icebp (undocumented, exits to external debugger) */ gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP); #if 1 gen_debug(s, pc_start - s->cs_base); #else /* start debug */ tb_flush(cpu_single_env);
+ show +
2598
2599
2600
2601
2602
2603
cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <= s->iopl) {
+ show +
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
tcg_gen_helper_0_0(helper_cli); } else { gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); } } else { if (s->iopl == 3) { tcg_gen_helper_0_0(helper_cli); } else { gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); }

[linux_CVE-2007-2876_1184135092_sctp_new.diff] sctp_new_OLD.c #1
SCTP_CONNTRACK_NONE, sch->type); /* Invalid: delete conntrack */ - if (newconntrack == SCTP_CONNTRACK_MAX) { + if (newconntrack == SCTP_CONNTRACK_NONE || + newconntrack == SCTP_CONNTRACK_MAX) { pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); return 0; }
.\cloneFuncs\totalClone\Type-1\CVE-2007-2876_before_imd_1183873178_sctp_new.c
18
19
20
21
22
23
24
25
26
27
if ((test_bit (SCTP_CID_ABORT, (void *)map)) || (test_bit (SCTP_CID_SHUTDOWN_COMPLETE, (void *)map)) || (test_bit (SCTP_CID_COOKIE_ACK, (void *)map))) { return 0; } newconntrack = SCTP_CONNTRACK_MAX; for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { /* Don't need lock here: this conntrack not in circulation yet */ newconntrack = new_state(IP_CT_DIR_ORIGINAL,
+ show +
28
29
30
31
32
33
34
SCTP_CONNTRACK_NONE, sch->type); /* Invalid: delete conntrack */ if (newconntrack == SCTP_CONNTRACK_MAX) { pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); return 0; }
+ show +
35
36
37
38
39
40
41
42
43
44
/* Copy the vtag into the state info */ if (sch->type == SCTP_CID_INIT) { if (sh->vtag == 0) { sctp_inithdr_t _inithdr, *ih; ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), sizeof(_inithdr), &_inithdr); if (ih == NULL) return 0;

[linux_CVE-2007-3105_1184869814_xfer_secondary_pool.diff] xfer_secondary_pool_OLD.c #1
if (r->pull && r->entropy_count < nbytes * 8 && r->entropy_count < r->poolinfo->POOLBITS) { - int bytes = max_t(int, random_read_wakeup_thresh / 8, - min_t(int, nbytes, sizeof(tmp))); + /* If we're limited, always leave two wakeup worth's BITS */ int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; + int bytes = nbytes; + + /* pull at least as many as BYTES as wakeup BITS */ + bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); + /* but never more than the buffer size */ + bytes = min_t(int, bytes, sizeof(tmp)); DEBUG_ENT("going to reseed %s with %d bits " "(%d of %d requested)\n",
.\cloneFuncs\totalClone\Type-1\CVE-2007-3105_before_1mo_1180493890_xfer_secondary_pool.c
1
2
3
4
static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes) { __u32 tmp[OUTPUT_POOL_WORDS];
+ show +
5
6
7
8
9
10
11
12
if (r->pull && r->entropy_count < nbytes * 8 && r->entropy_count < r->poolinfo->POOLBITS) { int bytes = max_t(int, random_read_wakeup_thresh / 8, min_t(int, nbytes, sizeof(tmp))); int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; DEBUG_ENT("going to reseed %s with %d bits " "(%d of %d requested)\n",
+ show +
13
14
15
16
17
18
19
20
r->name, bytes * 8, nbytes * 8, r->entropy_count); bytes=extract_entropy(r->pull, tmp, bytes, random_read_wakeup_thresh / 8, rsvd); add_entropy_words(r, tmp, (bytes + 3) / 4); credit_entropy_store(r, bytes*8); } }

[openssl_CVE-2010-3864_1289917131_ssl_parse_clienthello_tlsext.diff] ssl_parse_clienthello_tlsext_OLD.c #1
switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (s->session->tlsext_hostname == NULL) + if (!s->hit) { - if (len > TLSEXT_MAXLEN_host_name || - ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) + if(s->session->tlsext_hostname) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) {
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_after_imd_1220480231_ssl_parse_clienthello_tlsext.c
75
76
77
78
79
80
81
82
83
84
servname_type = *(sdata++); n2s(sdata,len); dsize -= 3; if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; } if (s->servername_done == 0)
+ show +
85
86
87
88
89
90
91
92
93
94
95
96
97
98
switch (servname_type) { case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) {
+ show +
99
100
101
102
103
104
105
106
107
108
OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_before_1mo_1209123212_ssl_parse_clienthello_tlsext.c
75
76
77
78
79
80
81
82
83
84
servname_type = *(sdata++); n2s(sdata,len); dsize -= 3; if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; } if (s->servername_done == 0)
+ show +
85
86
87
88
89
90
91
92
93
94
95
96
97
98
switch (servname_type) { case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) {
+ show +
99
100
101
102
103
104
105
106
107
108
OPENSSL_free(s->session->tlsext_hostname); *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3864_before_imd_1283706841_ssl_parse_clienthello_tlsext.c
77
78
79
80
81
82
83
84
85
86
servname_type = *(sdata++); n2s(sdata,len); dsize -= 3; if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; } if (s->servername_done == 0)
+ show +
87
88
89
90
91
92
93
94
95
96
97
98
99
100
switch (servname_type) { case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) {
+ show +
101
102
103
104
105
106
107
108
109
110
OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len
.\cloneFuncs\totalClone\Type-2\CVE-2010-3864_before_1mo_1282908555_ssl_parse_clienthello_tlsext.c
77
78
79
80
81
82
83
84
85
86
servname_type = *(sdata++); n2s(sdata,len); dsize -= 3; if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; } if (s->servername_done == 0)
+ show +
87
88
89
90
91
92
93
94
95
96
97
98
99
100
switch (servname_type) { case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) {
+ show +
101
102
103
104
105
106
107
108
109
110
OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_after_1mo_1226769492_ssl_parse_clienthello_tlsext.c
75
76
77
78
79
80
81
82
83
84
servname_type = *(sdata++); n2s(sdata,len); dsize -= 3; if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; } if (s->servername_done == 0)
+ show +
85
86
87
88
89
90
91
92
93
94
95
96
97
98
switch (servname_type) { case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) {
+ show +
99
100
101
102
103
104
105
106
107
108
OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_before_6mo_1193400396_ssl_parse_clienthello_tlsext.c
73
74
75
76
77
78
79
80
81
82
servname_type = *(sdata++); n2s(sdata,len); dsize -= 3; if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; } if (s->servername_done == 0)
+ show +
83
84
85
86
87
88
89
90
91
92
93
94
95
96
switch (servname_type) { case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) {
+ show +
97
98
99
100
101
102
103
104
105
106
OPENSSL_free(s->session->tlsext_hostname); *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
.\cloneFuncs\totalClone\Type-3\CVE-2010-3864_before_6mo_1266431911_ssl_parse_clienthello_tlsext.c
77
78
79
80
81
82
83
84
85
86
servname_type = *(sdata++); n2s(sdata,len); dsize -= 3; if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; } if (s->servername_done == 0)
+ show +
87
88
89
90
91
92
93
94
95
96
97
98
99
100
switch (servname_type) { case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) {
+ show +
101
102
103
104
105
106
107
108
109
110
OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len

[openssl_CVE-2010-3864_1289917131_ssl_parse_clienthello_tlsext.diff] ssl_parse_clienthello_tlsext_OLD.c #2
} else - s->servername_done = strlen(s->session->tlsext_hostname) == len + s->servername_done = s->session->tlsext_hostname + && strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_after_imd_1220480231_ssl_parse_clienthello_tlsext.c
96
97
98
99
100
101
102
103
104
105
memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1;
+ show +
106
107
108
109
110
111
} else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;
+ show +
112
113
114
115
116
117
118
119
120
121
default: break; } dsize -= len; } if (dsize != 0) { *al = SSL_AD_DECODE_ERROR;
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_before_1mo_1209123212_ssl_parse_clienthello_tlsext.c
95
96
97
98
99
100
101
102
103
104
} memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1;
+ show +
105
106
107
108
109
110
} else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;
+ show +
111
112
113
114
115
116
117
118
119
120
default: break; } dsize -= len; } if (dsize != 0) { *al = SSL_AD_DECODE_ERROR;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3864_before_imd_1283706841_ssl_parse_clienthello_tlsext.c
98
99
100
101
102
103
104
105
106
107
memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1;
+ show +
108
109
110
111
112
113
} else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;
+ show +
114
115
116
117
118
119
120
121
122
123
default: break; } dsize -= len; } if (dsize != 0) { *al = SSL_AD_DECODE_ERROR;
.\cloneFuncs\totalClone\Type-2\CVE-2010-3864_before_1mo_1282908555_ssl_parse_clienthello_tlsext.c
98
99
100
101
102
103
104
105
106
107
memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1;
+ show +
108
109
110
111
112
113
} else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;
+ show +
114
115
116
117
118
119
120
121
122
123
default: break; } dsize -= len; } if (dsize != 0) { *al = SSL_AD_DECODE_ERROR;
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_after_1mo_1226769492_ssl_parse_clienthello_tlsext.c
96
97
98
99
100
101
102
103
104
105
memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1;
+ show +
106
107
108
109
110
111
} else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;
+ show +
112
113
114
115
116
117
118
119
120
121
default: break; } dsize -= len; } if (dsize != 0) { *al = SSL_AD_DECODE_ERROR;
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_before_6mo_1193400396_ssl_parse_clienthello_tlsext.c
93
94
95
96
97
98
99
100
101
102
} memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1;
+ show +
103
104
105
106
107
108
} else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;
+ show +
109
110
111
112
113
114
115
116
117
118
default: break; } dsize -= len; } if (dsize != 0) { *al = SSL_AD_DECODE_ERROR;
.\cloneFuncs\totalClone\Type-3\CVE-2010-3864_before_6mo_1266431911_ssl_parse_clienthello_tlsext.c
98
99
100
101
102
103
104
105
106
107
memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } s->servername_done = 1;
+ show +
108
109
110
111
112
113
} else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;
+ show +
114
115
116
117
118
119
120
121
122
123
default: break; } dsize -= len; } if (dsize != 0) { *al = SSL_AD_DECODE_ERROR;

[openssl_CVE-2010-3864_1289917131_ssl_parse_clienthello_tlsext.diff] ssl_parse_clienthello_tlsext_OLD.c #3
*al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + if(s->session->tlsext_ecpointformatlist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = 0; + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; + memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist;
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_after_imd_1220480231_ssl_parse_clienthello_tlsext.c
125
126
127
128
129
130
131
132
133
134
} #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist;
+ show +
150
151
152
153
154
155
156
157
158
159
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++));
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_before_1mo_1209123212_ssl_parse_clienthello_tlsext.c
124
125
126
127
128
129
130
131
132
133
} #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist;
+ show +
149
150
151
152
153
154
155
156
157
158
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++));
.\cloneFuncs\totalClone\Type-1\CVE-2010-3864_before_imd_1283706841_ssl_parse_clienthello_tlsext.c
128
129
130
131
132
133
134
135
136
137
#ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist;
+ show +
153
154
155
156
157
158
159
160
161
162
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } else if (type == TLSEXT_TYPE_elliptic_curves && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8);
.\cloneFuncs\totalClone\Type-2\CVE-2010-3864_before_1mo_1282908555_ssl_parse_clienthello_tlsext.c
128
129
130
131
132
133
134
135
136
137
#ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist;
+ show +
153
154
155
156
157
158
159
160
161
162
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } else if (type == TLSEXT_TYPE_elliptic_curves && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8);
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_after_1mo_1226769492_ssl_parse_clienthello_tlsext.c
125
126
127
128
129
130
131
132
133
134
} #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist;
+ show +
150
151
152
153
154
155
156
157
158
159
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++));
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_before_6mo_1193400396_ssl_parse_clienthello_tlsext.c
122
123
124
125
126
127
128
129
130
131
} #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist;
+ show +
147
148
149
150
151
152
153
154
155
156
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++));
.\cloneFuncs\totalClone\Type-3\CVE-2010-3864_before_6mo_1266431911_ssl_parse_clienthello_tlsext.c
128
129
130
131
132
133
134
135
136
137
#ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist;
+ show +
153
154
155
156
157
158
159
160
161
162
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } else if (type == TLSEXT_TYPE_elliptic_curves && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8);

[openssl_CVE-2010-3864_1289917131_ssl_parse_clienthello_tlsext.diff] ssl_parse_clienthello_tlsext_OLD.c #4
*al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ellipticcurvelist_length = 0; - if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); - if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + if(s->session->tlsext_ellipticcurvelist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + s->session->tlsext_ellipticcurvelist_length = 0; + if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; + memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); } - s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; - memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist;
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_after_imd_1220480231_ssl_parse_clienthello_tlsext.c
153
154
155
156
157
158
159
160
161
162
#endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2) {
+ show +
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = 0; if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist;
+ show +
178
179
180
181
182
183
184
185
186
187
for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input) { unsigned char *sdata = data;
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_before_1mo_1209123212_ssl_parse_clienthello_tlsext.c
152
153
154
155
156
157
158
159
160
161
#endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2) {
+ show +
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = 0; if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist;
+ show +
177
178
179
180
181
182
183
184
185
186
for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input) { unsigned char *sdata = data;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3864_before_imd_1283706841_ssl_parse_clienthello_tlsext.c
157
158
159
160
161
162
163
164
165
166
} else if (type == TLSEXT_TYPE_elliptic_curves && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2) {
+ show +
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = 0; if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist;
+ show +
182
183
184
185
186
187
188
189
190
191
for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && s->version != DTLS1_VERSION) {
.\cloneFuncs\totalClone\Type-2\CVE-2010-3864_before_1mo_1282908555_ssl_parse_clienthello_tlsext.c
157
158
159
160
161
162
163
164
165
166
} else if (type == TLSEXT_TYPE_elliptic_curves && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2) {
+ show +
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = 0; if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist;
+ show +
182
183
184
185
186
187
188
189
190
191
for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && s->version != DTLS1_VERSION) {
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_after_1mo_1226769492_ssl_parse_clienthello_tlsext.c
153
154
155
156
157
158
159
160
161
162
#endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2) {
+ show +
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = 0; if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist;
+ show +
178
179
180
181
182
183
184
185
186
187
for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input) { unsigned char *sdata = data;
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_before_6mo_1193400396_ssl_parse_clienthello_tlsext.c
150
151
152
153
154
155
156
157
158
159
#endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2) {
+ show +
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = 0; if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist;
+ show +
175
176
177
178
179
180
181
182
183
184
for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input) { unsigned char *sdata = data;
.\cloneFuncs\totalClone\Type-3\CVE-2010-3864_before_6mo_1266431911_ssl_parse_clienthello_tlsext.c
157
158
159
160
161
162
163
164
165
166
} else if (type == TLSEXT_TYPE_elliptic_curves && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2) {
+ show +
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = 0; if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist;
+ show +
182
183
184
185
186
187
188
189
190
191
for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && s->version != DTLS1_VERSION) {

[openssl_CVE-2008-0891_1212012948_ssl_parse_clienthello_tlsext.diff] ssl_parse_clienthello_tlsext_OLD.c #1
s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); + s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; }
.\cloneFuncs\totalClone\Type-1\CVE-2008-0891_before_1mo_1209123212_ssl_parse_clienthello_tlsext.c
87
88
89
90
91
92
93
94
95
96
case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len);
+ show +
97
98
99
100
101
102
s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; }
+ show +
103
104
105
106
107
108
109
110
111
112
s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break; default:
.\cloneFuncs\totalClone\Type-3\CVE-2008-0891_before_6mo_1193400396_ssl_parse_clienthello_tlsext.c
85
86
87
88
89
90
91
92
93
94
case TLSEXT_NAMETYPE_host_name: if (s->session->tlsext_hostname == NULL) { if (len > TLSEXT_MAXLEN_host_name || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } memcpy(s->session->tlsext_hostname, sdata, len);
+ show +
95
96
97
98
99
100
s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; }
+ show +
101
102
103
104
105
106
107
108
109
110
s->servername_done = 1; } else s->servername_done = strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break; default:

[qemu_CVE-2008-0928_1236101836_bdrv_aio_write.diff] bdrv_aio_write_OLD.c #1
return NULL; if (bs->read_only) return NULL; + if (bdrv_check_request(bs, sector_num, nb_sectors)) + return NULL; ret = drv->bdrv_aio_write(bs, sector_num, buf, nb_sectors, cb, opaque);
.\cloneFuncs\totalClone\Type-1\CVE-2008-0928_before_1mo_1232990272_bdrv_aio_write.c
1
2
3
4
5
6
7
8
BlockDriverAIOCB *bdrv_aio_write(BlockDriverState *bs, int64_t sector_num, const uint8_t *buf, int nb_sectors, BlockDriverCompletionFunc *cb, void *opaque) { BlockDriver *drv = bs->drv; BlockDriverAIOCB *ret; if (!drv)
+ show +
9
10
11
12
13
return NULL; if (bs->read_only) return NULL; ret = drv->bdrv_aio_write(bs, sector_num, buf, nb_sectors, cb, opaque);
+ show +
14
15
16
17
18
19
20
21
22
if (ret) { /* Update stats even though technically transfer has not happened. */ bs->wr_bytes += (unsigned) nb_sectors * SECTOR_SIZE; bs->wr_ops ++; } return ret; }

[qemu_CVE-2008-0928_1236101836_bdrv_read.diff] bdrv_read_OLD.c #1
if (!drv) return -ENOMEDIUM; + if (bdrv_check_request(bs, sector_num, nb_sectors)) + return -EIO; if (drv->bdrv_pread) { int ret, len;
.\cloneFuncs\totalClone\Type-1\CVE-2008-0928_before_1mo_1232990272_bdrv_read.c
1
2
3
4
5
int bdrv_read(BlockDriverState *bs, int64_t sector_num, uint8_t *buf, int nb_sectors) { BlockDriver *drv = bs->drv;
+ show +
6
7
8
9
10
if (!drv) return -ENOMEDIUM; if (drv->bdrv_pread) { int ret, len;
+ show +
11
12
13
14
15
16
17
18
19
20
len = nb_sectors * 512; ret = drv->bdrv_pread(bs, sector_num * 512, buf, len); if (ret < 0) return ret; else if (ret != len) return -EINVAL; else { bs->rd_bytes += (unsigned) len; bs->rd_ops ++; return 0;

[qemu_CVE-2008-0928_1236101836_bdrv_write.diff] bdrv_write_OLD.c #1
return -ENOMEDIUM; if (bs->read_only) return -EACCES; + if (bdrv_check_request(bs, sector_num, nb_sectors)) + return -EIO; + if (drv->bdrv_pwrite) { int ret, len, count = 0; len = nb_sectors * 512;
.\cloneFuncs\totalClone\Type-1\CVE-2008-0928_before_1mo_1232990272_bdrv_write.c
1
2
3
4
5
int bdrv_write(BlockDriverState *bs, int64_t sector_num, const uint8_t *buf, int nb_sectors) { BlockDriver *drv = bs->drv; if (!bs->drv)
+ show +
6
7
8
9
10
11
return -ENOMEDIUM; if (bs->read_only) return -EACCES; if (drv->bdrv_pwrite) { int ret, len, count = 0; len = nb_sectors * 512;
+ show +
12
13
14
15
16
17
18
19
20
21
do { ret = drv->bdrv_pwrite(bs, sector_num * 512, buf, len - count); if (ret < 0) { printf("bdrv_write ret=%d\n", ret); return ret; } count += ret; buf += ret; } while (count != len); bs->wr_bytes += (unsigned) len;

[linux_CVE-2008-1514_1220956736___peek_user.diff] __peek_user_OLD.c #1
*/ tmp = (addr_t) task_pt_regs(child)->orig_gpr2; + } else if (addr < (addr_t) &dummy->regs.fp_regs) { + /* + * prevent reads of padding hole between + * orig_gpr2 and fp_regs on s390. + */ + tmp = 0; + } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure
.\cloneFuncs\totalClone\Type-1\CVE-2008-1514_before_imd_1216022334___peek_user.c
25
26
27
28
29
30
31
32
33
34
*/ if (addr == (addr_t) &dummy->regs.acrs[15]) tmp = ((unsigned long) child->thread.acrs[15]) << 32; else #endif tmp = *(addr_t *)((addr_t) &child->thread.acrs + offset); } else if (addr == (addr_t) &dummy->regs.orig_gpr2) { /* * orig_gpr2 is stored on the kernel stack
+ show +
35
36
37
38
39
40
*/ tmp = (addr_t) task_pt_regs(child)->orig_gpr2; } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure
+ show +
41
42
43
44
45
46
47
48
49
50
*/ offset = addr - (addr_t) &dummy->regs.fp_regs; tmp = *(addr_t *)((addr_t) &child->thread.fp_regs + offset); if (addr == (addr_t) &dummy->regs.fp_regs.fpc) tmp &= (unsigned long) FPC_VALID_MASK << (BITS_PER_LONG - 32); } else if (addr < (addr_t) (&dummy->regs.per_info + 1)) { /* * per_info is found in the thread structure

[linux_CVE-2008-1514_1220956736___peek_user_compat.diff] __peek_user_compat_OLD.c #1
*/ tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); + } else if (addr < (addr_t) &dummy32->regs.fp_regs) { + /* + * prevent reads of padding hole between + * orig_gpr2 and fp_regs on s390. + */ + tmp = 0; + } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure
.\cloneFuncs\totalClone\Type-1\CVE-2008-1514_before_imd_1216022334___peek_user_compat.c
25
26
27
28
29
30
31
32
33
34
} else if (addr < (addr_t) (&dummy32->regs.orig_gpr2)) { /* * access registers are stored in the thread structure */ offset = addr - (addr_t) &dummy32->regs.acrs; tmp = *(__u32*)((addr_t) &child->thread.acrs + offset); } else if (addr == (addr_t) (&dummy32->regs.orig_gpr2)) { /* * orig_gpr2 is stored on the kernel stack
+ show +
35
36
37
38
39
40
*/ tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure
+ show +
41
42
43
44
45
46
47
48
49
50
*/ offset = addr - (addr_t) &dummy32->regs.fp_regs; tmp = *(__u32 *)((addr_t) &child->thread.fp_regs + offset); } else if (addr < (addr_t) (&dummy32->regs.per_info + 1)) { /* * per_info is found in the thread structure */ offset = addr - (addr_t) &dummy32->regs.per_info; /* This is magic. See per_struct and per_struct32. */

[linux_CVE-2008-1514_1220956736___poke_user.diff] __poke_user_OLD.c #1
*/ task_pt_regs(child)->orig_gpr2 = data; + } else if (addr < (addr_t) &dummy->regs.fp_regs) { + /* + * prevent writes of padding hole between + * orig_gpr2 and fp_regs on s390. + */ + return 0; + } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure
.\cloneFuncs\totalClone\Type-1\CVE-2008-1514_before_imd_1216022334___poke_user.c
36
37
38
39
40
41
42
43
44
45
*/ if (addr == (addr_t) &dummy->regs.acrs[15]) child->thread.acrs[15] = (unsigned int) (data >> 32); else #endif *(addr_t *)((addr_t) &child->thread.acrs + offset) = data; } else if (addr == (addr_t) &dummy->regs.orig_gpr2) { /* * orig_gpr2 is stored on the kernel stack
+ show +
46
47
48
49
50
51
*/ task_pt_regs(child)->orig_gpr2 = data; } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure
+ show +
52
53
54
55
56
57
58
59
60
61
*/ if (addr == (addr_t) &dummy->regs.fp_regs.fpc && (data & ~((unsigned long) FPC_VALID_MASK << (BITS_PER_LONG - 32))) != 0) return -EINVAL; offset = addr - (addr_t) &dummy->regs.fp_regs; *(addr_t *)((addr_t) &child->thread.fp_regs + offset) = data; } else if (addr < (addr_t) (&dummy->regs.per_info + 1)) { /*

[linux_CVE-2008-1514_1220956736___poke_user_compat.diff] __poke_user_compat_OLD.c #1
*/ *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; + } else if (addr < (addr_t) &dummy32->regs.fp_regs) { + /* + * prevent writess of padding hole between + * orig_gpr2 and fp_regs on s390. + */ + return 0; + } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure
.\cloneFuncs\totalClone\Type-1\CVE-2008-1514_before_imd_1216022334___poke_user_compat.c
29
30
31
32
33
34
35
36
37
38
} else if (addr < (addr_t) (&dummy32->regs.orig_gpr2)) { /* * access registers are stored in the thread structure */ offset = addr - (addr_t) &dummy32->regs.acrs; *(__u32*)((addr_t) &child->thread.acrs + offset) = tmp; } else if (addr == (addr_t) (&dummy32->regs.orig_gpr2)) { /* * orig_gpr2 is stored on the kernel stack
+ show +
39
40
41
42
43
44
*/ *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure
+ show +
45
46
47
48
49
50
51
52
53
54
*/ if (addr == (addr_t) &dummy32->regs.fp_regs.fpc && (tmp & ~FPC_VALID_MASK) != 0) /* Invalid floating point control. */ return -EINVAL; offset = addr - (addr_t) &dummy32->regs.fp_regs; *(__u32 *)((addr_t) &child->thread.fp_regs + offset) = tmp; } else if (addr < (addr_t) (&dummy32->regs.per_info + 1)) { /*

[openssl_CVE-2014-3470_1401372005_ssl3_send_client_key_exchange.diff] ssl3_send_client_key_exchange_OLD.c #1
int ecdh_clnt_cert = 0; int field_size = 0; + if (s->session->sess_cert == NULL) + { + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); + goto err; + } + /* Did we send out the client's * ECDH share for use in premaster * computation as part of client certificate?
.\cloneFuncs\totalClone\Type-1\CVE-2008-1672_after_1mo_1223821967_ssl3_send_client_key_exchange.c
283
284
285
286
287
288
289
290
291
292
/* perhaps clean things up a bit EAY EAY EAY EAY*/ } #endif #ifndef OPENSSL_NO_ECDH else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey;
+ show +
293
294
295
296
297
298
int ecdh_clnt_cert = 0; int field_size = 0; /* Did we send out the client's * ECDH share for use in premaster * computation as part of client certificate?
+ show +
299
300
301
302
303
304
305
306
307
308
* If so, set ecdh_clnt_cert to 1. */ if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) { /* XXX: For now, we do not support client * authentication using ECDH certificates. * To add such support, one needs to add * code that checks for appropriate * conditions and sets ecdh_clnt_cert to 1. * For example, the cert have an ECC
.\cloneFuncs\totalClone\Type-1\CVE-2008-1672_before_1mo_1199568934_ssl3_send_client_key_exchange.c
276
277
278
279
280
281
282
283
284
285
/* perhaps clean things up a bit EAY EAY EAY EAY*/ } #endif #ifndef OPENSSL_NO_ECDH else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey;
+ show +
286
287
288
289
290
291
int ecdh_clnt_cert = 0; int field_size = 0; /* Did we send out the client's * ECDH share for use in premaster * computation as part of client certificate?
+ show +
292
293
294
295
296
297
298
299
300
301
* If so, set ecdh_clnt_cert to 1. */ if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) { /* XXX: For now, we do not support client * authentication using ECDH certificates. * To add such support, one needs to add * code that checks for appropriate * conditions and sets ecdh_clnt_cert to 1. * For example, the cert have an ECC
.\cloneFuncs\totalClone\Type-1\CVE-2014-3470_before_1mo_1395152362_ssl3_send_client_key_exchange.c
322
323
324
325
326
327
328
329
330
331
/* perhaps clean things up a bit EAY EAY EAY EAY*/ } #endif #ifndef OPENSSL_NO_ECDH else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey;
+ show +
332
333
334
335
336
337
int ecdh_clnt_cert = 0; int field_size = 0; /* Did we send out the client's * ECDH share for use in premaster * computation as part of client certificate?
+ show +
338
339
340
341
342
343
344
345
346
347
* If so, set ecdh_clnt_cert to 1. */ if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) { /* XXX: For now, we do not support client * authentication using ECDH certificates. * To add such support, one needs to add * code that checks for appropriate * conditions and sets ecdh_clnt_cert to 1. * For example, the cert have an ECC
.\cloneFuncs\totalClone\Type-2\CVE-2014-3470_before_6mo_1382306604_ssl3_send_client_key_exchange.c
322
323
324
325
326
327
328
329
330
331
/* perhaps clean things up a bit EAY EAY EAY EAY*/ } #endif #ifndef OPENSSL_NO_ECDH else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey;
+ show +
332
333
334
335
336
337
int ecdh_clnt_cert = 0; int field_size = 0; /* Did we send out the client's * ECDH share for use in premaster * computation as part of client certificate?
+ show +
338
339
340
341
342
343
344
345
346
347
* If so, set ecdh_clnt_cert to 1. */ if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) { /* XXX: For now, we do not support client * authentication using ECDH certificates. * To add such support, one needs to add * code that checks for appropriate * conditions and sets ecdh_clnt_cert to 1. * For example, the cert have an ECC

[openssl_CVE-2014-3510_1406232929_ssl3_send_client_key_exchange.diff] ssl3_send_client_key_exchange_OLD.c #1
RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + if (s->session->sess_cert == NULL) + { + /* We should always have a server certificate with SSL_kRSA. */ + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); + goto err; + } + if (s->session->sess_cert->peer_rsa_tmp != NULL) rsa=s->session->sess_cert->peer_rsa_tmp; else
.\cloneFuncs\totalClone\Type-1\CVE-2008-1672_after_1mo_1223821967_ssl3_send_client_key_exchange.c
24
25
26
27
28
29
30
31
32
33
d=(unsigned char *)s->init_buf->data; p= &(d[4]); alg_k=s->s3->tmp.new_cipher->algorithm_mkey; /* Fool emacs indentation */ if (0) {} #ifndef OPENSSL_NO_RSA else if (alg_k & SSL_kRSA) {
+ show +
34
35
36
37
38
39
RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; if (s->session->sess_cert->peer_rsa_tmp != NULL) rsa=s->session->sess_cert->peer_rsa_tmp; else
+ show +
40
41
42
43
44
45
46
47
48
49
{ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } rsa=pkey->pkey.rsa;
.\cloneFuncs\totalClone\Type-1\CVE-2008-1672_before_1mo_1199568934_ssl3_send_client_key_exchange.c
24
25
26
27
28
29
30
31
32
33
d=(unsigned char *)s->init_buf->data; p= &(d[4]); alg_k=s->s3->tmp.new_cipher->algorithm_mkey; /* Fool emacs indentation */ if (0) {} #ifndef OPENSSL_NO_RSA else if (alg_k & SSL_kRSA) {
+ show +
34
35
36
37
38
39
RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; if (s->session->sess_cert->peer_rsa_tmp != NULL) rsa=s->session->sess_cert->peer_rsa_tmp; else
+ show +
40
41
42
43
44
45
46
47
48
49
{ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } rsa=pkey->pkey.rsa;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3470_after_1mo_1404476795_ssl3_send_client_key_exchange.c
23
24
25
26
27
28
29
30
31
32
{ p = ssl_handshake_start(s); alg_k=s->s3->tmp.new_cipher->algorithm_mkey; /* Fool emacs indentation */ if (0) {} #ifndef OPENSSL_NO_RSA else if (alg_k & SSL_kRSA) {
+ show +
33
34
35
36
37
38
RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; if (s->session->sess_cert->peer_rsa_tmp != NULL) rsa=s->session->sess_cert->peer_rsa_tmp; else
+ show +
39
40
41
42
43
44
45
46
47
48
{ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } rsa=pkey->pkey.rsa;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3470_before_1mo_1395152362_ssl3_send_client_key_exchange.c
23
24
25
26
27
28
29
30
31
32
{ p = ssl_handshake_start(s); alg_k=s->s3->tmp.new_cipher->algorithm_mkey; /* Fool emacs indentation */ if (0) {} #ifndef OPENSSL_NO_RSA else if (alg_k & SSL_kRSA) {
+ show +
33
34
35
36
37
38
RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; if (s->session->sess_cert->peer_rsa_tmp != NULL) rsa=s->session->sess_cert->peer_rsa_tmp; else
+ show +
39
40
41
42
43
44
45
46
47
48
{ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } rsa=pkey->pkey.rsa;
.\cloneFuncs\totalClone\Type-2\CVE-2014-3470_before_6mo_1382306604_ssl3_send_client_key_exchange.c
23
24
25
26
27
28
29
30
31
32
{ p = ssl_handshake_start(s); alg_k=s->s3->tmp.new_cipher->algorithm_mkey; /* Fool emacs indentation */ if (0) {} #ifndef OPENSSL_NO_RSA else if (alg_k & SSL_kRSA) {
+ show +
33
34
35
36
37
38
RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; if (s->session->sess_cert->peer_rsa_tmp != NULL) rsa=s->session->sess_cert->peer_rsa_tmp; else
+ show +
39
40
41
42
43
44
45
46
47
48
{ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } rsa=pkey->pkey.rsa;

[openssl_CVE-2008-1672_1212013054_ssl3_send_client_key_exchange.diff] ssl3_send_client_key_exchange_OLD.c #1
{ DH *dh_srvr,*dh_clnt; + if (s->session->sess_cert == NULL) + { + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); + goto err; + } + if (s->session->sess_cert->peer_dh_tmp != NULL) dh_srvr=s->session->sess_cert->peer_dh_tmp; else
.\cloneFuncs\totalClone\Type-1\CVE-2008-1672_before_1mo_1199568934_ssl3_send_client_key_exchange.c
216
217
218
219
220
221
222
223
224
225
s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(epms, outl); } #endif #ifndef OPENSSL_NO_DH else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+ show +
226
227
228
229
230
231
{ DH *dh_srvr,*dh_clnt; if (s->session->sess_cert->peer_dh_tmp != NULL) dh_srvr=s->session->sess_cert->peer_dh_tmp; else
+ show +
232
233
234
235
236
237
238
239
240
241
{ /* we get them from the cert */ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); goto err; } /* generate a new random key */ if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) {

[qemu_CVE-2008-1945_1219357472_usb_msd_init.diff] usb_msd_init_OLD.c #1
{ MSDState *s; BlockDriverState *bdrv; + BlockDriver *drv = NULL; + const char *p1; + char fmt[32]; + + p1 = strchr(filename, ':'); + if (p1++) { + const char *p2; + + if (strstart(filename, "format=", &p2)) { + int len = MIN(p1 - p2, sizeof(fmt)); + pstrcpy(fmt, len, p2); + + drv = bdrv_find_format(fmt); + if (!drv) { + printf("invalid format %s\n", fmt); + return NULL; + } + } else if (*filename != ':') { + printf("unrecognized USB mass-storage option %s\n", filename); + return NULL; + } + + filename = p1; + } + + if (!*filename) { + printf("block device specification needed\n"); + return NULL; + } s = qemu_mallocz(sizeof(MSDState)); if (!s) return NULL; bdrv = bdrv_new("usb"); - if (bdrv_open(bdrv, filename, 0) < 0) + if (bdrv_open2(bdrv, filename, 0, drv) < 0) goto fail; if (qemu_key_check(bdrv, filename)) goto fail;
.\cloneFuncs\totalClone\Type-1\CVE-2008-1945_before_1mo_1195319691_usb_msd_init.c
1
USBDevice *usb_msd_init(const char *filename)
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
14
{ MSDState *s; BlockDriverState *bdrv; s = qemu_mallocz(sizeof(MSDState)); if (!s) return NULL; bdrv = bdrv_new("usb"); if (bdrv_open(bdrv, filename, 0) < 0) goto fail; if (qemu_key_check(bdrv, filename)) goto fail;
+ show +
15
16
17
18
19
20
21
22
23
24
s->bs = bdrv; s->dev.speed = USB_SPEED_FULL; s->dev.handle_packet = usb_generic_handle_packet; s->dev.handle_reset = usb_msd_handle_reset; s->dev.handle_control = usb_msd_handle_control; s->dev.handle_data = usb_msd_handle_data; s->dev.handle_destroy = usb_msd_handle_destroy;

[qemu_CVE-2008-2382_1229979983_protocol_client_msg.diff] protocol_client_msg_OLD.c #1
if (len == 1) return 4; - if (len == 4) - return 4 + (read_u16(data, 2) * 4); + if (len == 4) { + limit = read_u16(data, 2); + if (limit > 0) + return 4 + (limit * 4); + } else + limit = read_u16(data, 2); - limit = read_u16(data, 2); for (i = 0; i < limit; i++) { int32_t val = read_s32(data, 4 + (i * 4)); memcpy(data + 4 + (i * 4), &val, sizeof(val));
.\cloneFuncs\totalClone\Type-1\CVE-2008-2382_before_imd_1229194632_protocol_client_msg.c
8
9
10
11
12
13
14
15
16
17
if (len == 1) return 20; set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5), read_u8(data, 6), read_u8(data, 7), read_u16(data, 8), read_u16(data, 10), read_u16(data, 12), read_u8(data, 14), read_u8(data, 15), read_u8(data, 16)); break; case 2:
+ show +
18
19
20
21
22
23
24
25
26
27
if (len == 1) return 4; if (len == 4) return 4 + (read_u16(data, 2) * 4); limit = read_u16(data, 2); for (i = 0; i < limit; i++) { int32_t val = read_s32(data, 4 + (i * 4)); memcpy(data + 4 + (i * 4), &val, sizeof(val));
+ show +
28
29
30
31
32
33
34
35
36
37
} set_encodings(vs, (int32_t *)(data + 4), limit); break; case 3: if (len == 1) return 10; framebuffer_update_request(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
.\cloneFuncs\totalClone\Type-3\CVE-2008-2382_before_1mo_1226508636_protocol_client_msg.c
8
9
10
11
12
13
14
15
16
17
if (len == 1) return 20; set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5), read_u8(data, 6), read_u8(data, 7), read_u16(data, 8), read_u16(data, 10), read_u16(data, 12), read_u8(data, 14), read_u8(data, 15), read_u8(data, 16)); break; case 2:
+ show +
18
19
20
21
22
23
24
25
26
27
if (len == 1) return 4; if (len == 4) return 4 + (read_u16(data, 2) * 4); limit = read_u16(data, 2); for (i = 0; i < limit; i++) { int32_t val = read_s32(data, 4 + (i * 4)); memcpy(data + 4 + (i * 4), &val, sizeof(val));
+ show +
28
29
30
31
32
33
34
35
36
37
} set_encodings(vs, (int32_t *)(data + 4), limit); break; case 3: if (len == 1) return 10; framebuffer_update_request(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
.\cloneFuncs\totalClone\Type-3\CVE-2008-2382_before_6mo_1212370829_protocol_client_msg.c
8
9
10
11
12
13
14
15
16
17
if (len == 1) return 20; set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5), read_u8(data, 6), read_u8(data, 7), read_u16(data, 8), read_u16(data, 10), read_u16(data, 12), read_u8(data, 14), read_u8(data, 15), read_u8(data, 16)); break; case 2:
+ show +
18
19
20
21
22
23
24
25
26
27
if (len == 1) return 4; if (len == 4) return 4 + (read_u16(data, 2) * 4); limit = read_u16(data, 2); for (i = 0; i < limit; i++) { int32_t val = read_s32(data, 4 + (i * 4)); memcpy(data + 4 + (i * 4), &val, sizeof(val));
+ show +
28
29
30
31
32
33
34
35
36
37
} set_encodings(vs, (int32_t *)(data + 4), limit); break; case 3: if (len == 1) return 10; framebuffer_update_request(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),

[linux_CVE-2008-3272_1217694316_snd_seq_oss_synth_make_info.diff] snd_seq_oss_synth_make_info_OLD.c #1
{ struct seq_oss_synth *rec; + if (dev < 0 || dev >= dp->max_synthdev) + return -ENXIO; + if (dp->synths[dev].is_midi) { struct midi_info minf; snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
.\cloneFuncs\totalClone\Type-1\CVE-2008-3272_before_1mo_1133430231_snd_seq_oss_synth_make_info.c
1
2
int snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf)
+ show +
3
4
5
6
7
8
{ struct seq_oss_synth *rec; if (dp->synths[dev].is_midi) { struct midi_info minf; snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
+ show +
9
10
11
12
13
14
15
16
17
18
inf->synth_type = SYNTH_TYPE_MIDI; inf->synth_subtype = 0; inf->nr_voices = 16; inf->device = dev; strlcpy(inf->name, minf.name, sizeof(inf->name)); } else { if ((rec = get_synthdev(dp, dev)) == NULL) return -ENXIO; inf->synth_type = rec->synth_type; inf->synth_subtype = rec->synth_subtype;

[linux_CVE-2008-3528_1223565352_ext4_readdir.diff] ext4_readdir_OLD.c #1
int err; struct inode *inode = filp->f_path.dentry->d_inode; int ret = 0; + int dir_has_error = 0; sb = inode->i_sb;
.\cloneFuncs\totalClone\Type-1\CVE-2008-3528_before_imd_1220927124_ext4_readdir.c
1
2
3
4
5
6
7
8
static int ext4_readdir(struct file *filp, void *dirent, filldir_t filldir) { int error = 0; unsigned long offset; int i, stored; struct ext4_dir_entry_2 *de; struct super_block *sb;
+ show +
9
10
11
12
13
int err; struct inode *inode = filp->f_path.dentry->d_inode; int ret = 0; sb = inode->i_sb;
+ show +
14
15
16
17
18
19
20
21
22
23
if (EXT4_HAS_COMPAT_FEATURE(inode->i_sb, EXT4_FEATURE_COMPAT_DIR_INDEX) && ((EXT4_I(inode)->i_flags & EXT4_INDEX_FL) || ((inode->i_size >> sb->s_blocksize_bits) == 1))) { err = ext4_dx_readdir(filp, dirent, filldir); if (err != ERR_BAD_DX_DIR) { ret = err; goto out; }
.\cloneFuncs\totalClone\Type-2\CVE-2008-3528_before_1mo_1220929252_ext4_readdir.c
1
2
3
4
5
6
7
8
static int ext4_readdir(struct file * filp, void * dirent, filldir_t filldir) { int error = 0; unsigned long offset; int i, stored; struct ext4_dir_entry_2 *de; struct super_block *sb;
+ show +
9
10
11
12
13
int err; struct inode *inode = filp->f_path.dentry->d_inode; int ret = 0; sb = inode->i_sb;
+ show +
14
15
16
17
18
19
20
21
22
23
if (EXT4_HAS_COMPAT_FEATURE(inode->i_sb, EXT4_FEATURE_COMPAT_DIR_INDEX) && ((EXT4_I(inode)->i_flags & EXT4_INDEX_FL) || ((inode->i_size >> sb->s_blocksize_bits) == 1))) { err = ext4_dx_readdir(filp, dirent, filldir); if (err != ERR_BAD_DX_DIR) { ret = err; goto out; }
.\cloneFuncs\totalClone\Type-3\CVE-2008-3528_before_6mo_1203978046_ext4_readdir.c
1
2
3
4
5
6
7
8
static int ext4_readdir(struct file * filp, void * dirent, filldir_t filldir) { int error = 0; unsigned long offset; int i, stored; struct ext4_dir_entry_2 *de; struct super_block *sb;
+ show +
9
10
11
12
13
int err; struct inode *inode = filp->f_path.dentry->d_inode; int ret = 0; sb = inode->i_sb;
+ show +
14
15
16
17
18
19
20
21
22
23
if (EXT4_HAS_COMPAT_FEATURE(inode->i_sb, EXT4_FEATURE_COMPAT_DIR_INDEX) && ((EXT4_I(inode)->i_flags & EXT4_INDEX_FL) || ((inode->i_size >> sb->s_blocksize_bits) == 1))) { err = ext4_dx_readdir(filp, dirent, filldir); if (err != ERR_BAD_DX_DIR) { ret = err; goto out; }

[linux_CVE-2008-3528_1223565352_ext4_readdir.diff] ext4_readdir_OLD.c #2
* of recovering data when there's a bad sector */ if (!bh) { - ext4_error(sb, "ext4_readdir", - "directory #%lu contains a hole at offset %lu", - inode->i_ino, (unsigned long)filp->f_pos); + if (!dir_has_error) { + ext4_error(sb, __func__, "directory #%lu " + "contains a hole at offset %Lu", + inode->i_ino, + (unsigned long long) filp->f_pos); + dir_has_error = 1; + } /* corrupt size? Maybe no more blocks to read */ if (filp->f_pos > inode->i_blocks << 9) break;
.\cloneFuncs\totalClone\Type-1\CVE-2008-3528_before_imd_1220927124_ext4_readdir.c
45
46
47
48
49
50
51
52
53
54
page_cache_sync_readahead( sb->s_bdev->bd_inode->i_mapping, &filp->f_ra, filp, index, 1); filp->f_ra.prev_pos = (loff_t)index << PAGE_CACHE_SHIFT; bh = ext4_bread(NULL, inode, blk, 0, &err); } /* * We ignore I/O errors on directories so users have a chance
+ show +
55
56
57
58
59
60
61
62
63
* of recovering data when there's a bad sector */ if (!bh) { ext4_error(sb, "ext4_readdir", "directory #%lu contains a hole at offset %lu", inode->i_ino, (unsigned long)filp->f_pos); /* corrupt size? Maybe no more blocks to read */ if (filp->f_pos > inode->i_blocks << 9) break;
+ show +
64
65
66
67
68
69
70
71
72
73
filp->f_pos += sb->s_blocksize - offset; continue; } revalidate: /* If the dir block has changed since the last call to * readdir(2), then we might be pointing to an invalid * dirent right now. Scan from the start of the block * to make sure. */ if (filp->f_version != inode->i_version) {
.\cloneFuncs\totalClone\Type-2\CVE-2008-3528_before_1mo_1220929252_ext4_readdir.c
45
46
47
48
49
50
51
52
53
54
page_cache_sync_readahead( sb->s_bdev->bd_inode->i_mapping, &filp->f_ra, filp, index, 1); filp->f_ra.prev_pos = (loff_t)index << PAGE_CACHE_SHIFT; bh = ext4_bread(NULL, inode, blk, 0, &err); } /* * We ignore I/O errors on directories so users have a chance
+ show +
55
56
57
58
59
60
61
62
63
* of recovering data when there's a bad sector */ if (!bh) { ext4_error (sb, "ext4_readdir", "directory #%lu contains a hole at offset %lu", inode->i_ino, (unsigned long)filp->f_pos); /* corrupt size? Maybe no more blocks to read */ if (filp->f_pos > inode->i_blocks << 9) break;
+ show +
64
65
66
67
68
69
70
71
72
73
filp->f_pos += sb->s_blocksize - offset; continue; } revalidate: /* If the dir block has changed since the last call to * readdir(2), then we might be pointing to an invalid * dirent right now. Scan from the start of the block * to make sure. */ if (filp->f_version != inode->i_version) {
.\cloneFuncs\totalClone\Type-3\CVE-2008-3528_before_6mo_1203978046_ext4_readdir.c
44
45
46
47
48
49
50
51
52
53
page_cache_sync_readahead( sb->s_bdev->bd_inode->i_mapping, &filp->f_ra, filp, index, 1); filp->f_ra.prev_pos = (loff_t)index << PAGE_CACHE_SHIFT; bh = ext4_bread(NULL, inode, blk, 0, &err); } /* * We ignore I/O errors on directories so users have a chance
+ show +
54
55
56
57
58
59
60
61
62
* of recovering data when there's a bad sector */ if (!bh) { ext4_error (sb, "ext4_readdir", "directory #%lu contains a hole at offset %lu", inode->i_ino, (unsigned long)filp->f_pos); /* corrupt size? Maybe no more blocks to read */ if (filp->f_pos > inode->i_blocks << 9) break;
+ show +
63
64
65
66
67
68
69
70
71
72
filp->f_pos += sb->s_blocksize - offset; continue; } revalidate: /* If the dir block has changed since the last call to * readdir(2), then we might be pointing to an invalid * dirent right now. Scan from the start of the block * to make sure. */ if (filp->f_version != inode->i_version) {

[linux_CVE-2008-5079_1228431493_svc_listen.diff] svc_listen_OLD.c #1
error = -EINVAL; goto out; } - vcc_insert_socket(sk); + if (test_bit(ATM_VF_LISTEN, &vcc->flags)) { + error = -EADDRINUSE; + goto out; + } set_bit(ATM_VF_WAITING, &vcc->flags); prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE); sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
.\cloneFuncs\totalClone\Type-1\CVE-2008-5079_before_1mo_1191911062_svc_listen.c
2
3
4
5
6
7
8
9
10
11
{ DEFINE_WAIT(wait); struct sock *sk = sock->sk; struct atm_vcc *vcc = ATM_SD(sock); int error; pr_debug("svc_listen %p\n",vcc); lock_sock(sk); /* let server handle listen on unbound sockets */ if (test_bit(ATM_VF_SESSION,&vcc->flags)) {
+ show +
12
13
14
15
16
17
18
error = -EINVAL; goto out; } vcc_insert_socket(sk); set_bit(ATM_VF_WAITING, &vcc->flags); prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE); sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
+ show +
19
20
21
22
23
24
25
26
27
28
while (test_bit(ATM_VF_WAITING, &vcc->flags) && sigd) { schedule(); prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE); } finish_wait(sk->sk_sleep, &wait); if (!sigd) { error = -EUNATCH; goto out; } set_bit(ATM_VF_LISTEN,&vcc->flags);

[linux_CVE-2009-0676_1235432321_sock_getsockopt.diff] sock_getsockopt_OLD.c #1
if (len < 0) return -EINVAL; - v.val = 0; + memset(&v, 0, sizeof(v)); switch(optname) { case SO_DEBUG:
.\cloneFuncs\totalClone\Type-1\CVE-2009-0676_before_imd_1234934645_sock_getsockopt.c
7
8
9
10
11
12
13
14
15
16
int val; struct linger ling; struct timeval tm; } v; unsigned int lv = sizeof(int); int len; if (get_user(len, optlen)) return -EFAULT;
+ show +
17
18
19
20
21
22
23
if (len < 0) return -EINVAL; v.val = 0; switch(optname) { case SO_DEBUG:
+ show +
24
25
26
27
28
29
30
31
32
33
v.val = sock_flag(sk, SOCK_DBG); break; case SO_DONTROUTE: v.val = sock_flag(sk, SOCK_LOCALROUTE); break; case SO_BROADCAST: v.val = !!sock_flag(sk, SOCK_BROADCAST); break;

[libtiff_CVE-2009-2347_1251134105_cvt_whole_image.diff] cvt_whole_image_OLD.c #1
uint32* raster; /* retrieve RGBA image */ uint32 width, height; /* image width & height */ uint32 row; + size_t pixel_count; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + pixel_count = width * height; + + /* XXX: Check the integer overflow. */ + if (!width || !height || pixel_count / width != height) { + TIFFError(TIFFFileName(in), + "Malformed input file; can't allocate buffer for raster of %lux%lu size", + (unsigned long)width, (unsigned long)height); + return 0; + } rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); + raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer"); if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); + TIFFError(TIFFFileName(in), "Failed to allocate buffer (%lu elements of %lu each)", + (unsigned long)pixel_count, (unsigned long)sizeof(uint32)); return (0); }
.\cloneFuncs\totalClone\Type-1\CVE-2009-2347_before_1mo_1181744519_cvt_whole_image.c
1
2
3
4
static int cvt_whole_image( TIFF *in, TIFF *out ) {
+ show +
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
uint32* raster; /* retrieve RGBA image */ uint32 width, height; /* image width & height */ uint32 row; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); }
+ show +
20
21
22
23
24
25
26
27
28
29
/* Read the image in one chunk into an RGBA array */ if (!TIFFReadRGBAImageOriented(in, width, height, raster, ORIENTATION_TOPLEFT, 0)) { _TIFFfree(raster); return (0); } /* * XXX: raster array has 4-byte unsigned integer type, that is why

[libtiff_CVE-2009-2347_1251134105_cvt_whole_image.diff] cvt_whole_image_OLD.c #2
*/ if (no_alpha) { - int pixel_count = width * height; + size_t count = pixel_count; unsigned char *src, *dst; src = dst = (unsigned char *) raster; - while (pixel_count > 0) + while (count > 0) { *(dst++) = *(src++); *(dst++) = *(src++); *(dst++) = *(src++); - src++, pixel_count--; + src++; + count--; } }
.\cloneFuncs\totalClone\Type-1\CVE-2009-2347_before_1mo_1181744519_cvt_whole_image.c
28
29
30
31
32
33
34
35
36
37
/* * XXX: raster array has 4-byte unsigned integer type, that is why * we should rearrange it here. */ #if HOST_BIGENDIAN TIFFSwabArrayOfLong(raster, width * height); #endif /* * Do we want to strip away alpha components?
+ show +
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
*/ if (no_alpha) { int pixel_count = width * height; unsigned char *src, *dst; src = dst = (unsigned char *) raster; while (pixel_count > 0) { *(dst++) = *(src++); *(dst++) = *(src++); *(dst++) = *(src++); src++, pixel_count--; } }
+ show +
53
54
55
56
57
58
59
60
61
62
/* * Write out the result in strips */ for (row = 0; row < height; row += rowsperstrip) { unsigned char * raster_strip; int rows_to_write; int bytes_per_pixel;

[linux_CVE-2009-2903_1252694122_atalk_route_packet.diff] atalk_route_packet_OLD.c #1
-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev, - struct ddpehdr *ddp, __u16 len_hops, - int origlen) +static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev, + struct ddpehdr *ddp, __u16 len_hops, int origlen) { struct atalk_route *rt; struct atalk_addr ta;
.\cloneFuncs\totalClone\Type-1\CVE-2009-2903_before_1mo_1249878587_atalk_route_packet.c
+ show +
1
2
3
4
5
6
static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev, struct ddpehdr *ddp, __u16 len_hops, int origlen) { struct atalk_route *rt; struct atalk_addr ta;
+ show +
7
8
9
10
11
12
13
14
15
16
/* * Don't route multicast, etc., packets, or packets sent to "this * network" */ if (skb->pkt_type != PACKET_HOST || !ddp->deh_dnet) { /* * FIXME: * * Can it ever happen that a packet is from a PPP iface and

[linux_CVE-2009-2903_1252694122_atalk_route_packet.diff] atalk_route_packet_OLD.c #2
/* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */ struct sk_buff *nskb = skb_realloc_headroom(skb, 32); kfree_skb(skb); - if (!nskb) - goto out; skb = nskb; } else skb = skb_unshare(skb, GFP_ATOMIC);
.\cloneFuncs\totalClone\Type-1\CVE-2009-2903_before_1mo_1249878587_atalk_route_packet.c
57
58
59
60
61
62
63
64
65
66
* * Now we must always be careful. If it's come from LocalTalk to * EtherTalk it might not fit * * Order matters here: If a packet has to be copied to make a new * headroom (rare hopefully) then it won't need unsharing. * * Note. ddp-> becomes invalid at the realloc. */ if (skb_headroom(skb) < 22) {
+ show +
67
68
69
70
71
72
73
74
/* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */ struct sk_buff *nskb = skb_realloc_headroom(skb, 32); kfree_skb(skb); if (!nskb) goto out; skb = nskb; } else skb = skb_unshare(skb, GFP_ATOMIC);
+ show +
75
76
77
78
79
80
81
82
83
84
/* * If the buffer didn't vanish into the lack of space bitbucket we can * send it. */ if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1) goto free_it; out: return; free_it:

[linux_CVE-2009-2903_1252694122_atalk_sendmsg.diff] atalk_sendmsg_OLD.c #1
if (skb2) { loopback = 1; SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk); - if (aarp_send_ddp(dev, skb2, - &usat->sat_addr, NULL) == -1) - kfree_skb(skb2); - /* else queued/sent above in the aarp queue */ + /* + * If it fails it is queued/sent above in the aarp queue + */ + aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL); } }
.\cloneFuncs\totalClone\Type-1\CVE-2009-2903_before_1mo_1249878587_atalk_sendmsg.c
103
104
105
106
107
108
109
110
111
112
ddp->deh_sum = atalk_checksum(skb, len + sizeof(*ddp)); /* * Loopback broadcast packets to non gateway targets (ie routes * to group we are in) */ if (ddp->deh_dnode == ATADDR_BCAST && !(rt->flags & RTF_GATEWAY) && !(dev->flags & IFF_LOOPBACK)) { struct sk_buff *skb2 = skb_copy(skb, GFP_KERNEL);
+ show +
113
114
115
116
117
118
119
120
121
if (skb2) { loopback = 1; SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk); if (aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL) == -1) kfree_skb(skb2); /* else queued/sent above in the aarp queue */ } }
+ show +
122
123
124
125
126
127
128
129
130
131
if (dev->flags & IFF_LOOPBACK || loopback) { SOCK_DEBUG(sk, "SK %p: Loop back.\n", sk); /* loop back */ skb_orphan(skb); if (ddp->deh_dnode == ATADDR_BCAST) { struct atalk_addr at_lo; at_lo.s_node = 0; at_lo.s_net = 0;
.\cloneFuncs\totalClone\Type-3\CVE-2009-2903_before_6mo_1236586709_atalk_sendmsg.c
107
108
109
110
111
112
113
114
115
116
ddp->deh_sum = atalk_checksum(skb, len + sizeof(*ddp)); /* * Loopback broadcast packets to non gateway targets (ie routes * to group we are in) */ if (ddp->deh_dnode == ATADDR_BCAST && !(rt->flags & RTF_GATEWAY) && !(dev->flags & IFF_LOOPBACK)) { struct sk_buff *skb2 = skb_copy(skb, GFP_KERNEL);
+ show +
117
118
119
120
121
122
123
124
125
if (skb2) { loopback = 1; SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk); if (aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL) == -1) kfree_skb(skb2); /* else queued/sent above in the aarp queue */ } }
+ show +
126
127
128
129
130
131
132
133
134
135
if (dev->flags & IFF_LOOPBACK || loopback) { SOCK_DEBUG(sk, "SK %p: Loop back.\n", sk); /* loop back */ skb_orphan(skb); if (ddp->deh_dnode == ATADDR_BCAST) { struct atalk_addr at_lo; at_lo.s_node = 0; at_lo.s_net = 0;

[linux_CVE-2009-2903_1252694122_handle_ip_over_ddp.diff] handle_ip_over_ddp_OLD.c #1
struct net_device_stats *stats; /* This needs to be able to handle ipddp"N" devices */ - if (!dev) - return -ENODEV; + if (!dev) { + kfree_skb(skb); + return NET_RX_DROP; + } skb->protocol = htons(ETH_P_IP); skb_pull(skb, 13);
.\cloneFuncs\totalClone\Type-1\CVE-2009-2903_before_1mo_1249878587_handle_ip_over_ddp.c
1
2
3
static int handle_ip_over_ddp(struct sk_buff *skb) { struct net_device *dev = __dev_get_by_name(&init_net, "ipddp0");
+ show +
4
5
6
7
8
9
10
11
struct net_device_stats *stats; /* This needs to be able to handle ipddp"N" devices */ if (!dev) return -ENODEV; skb->protocol = htons(ETH_P_IP); skb_pull(skb, 13);
+ show +
12
13
14
15
16
17
18
19
20
skb->dev = dev; skb_reset_transport_header(skb); stats = netdev_priv(dev); stats->rx_packets++; stats->rx_bytes += skb->len + 13; netif_rx(skb); /* Send the SKB up to a higher place. */ return 0; }

[linux_CVE-2009-2903_1252694122_atalk_rcv.diff] atalk_rcv_OLD.c #1
/* Not ours, so we route the packet via the correct * AppleTalk iface */ - atalk_route_packet(skb, dev, ddp, len_hops, origlen); - return NET_RX_SUCCESS; + return atalk_route_packet(skb, dev, ddp, len_hops, origlen); } /* if IP over DDP is not selected this code will be optimized out */
.\cloneFuncs\totalClone\Type-1\CVE-2009-2903_before_imd_1249600882_atalk_rcv.c
47
48
49
50
51
52
53
54
55
56
/* Not a valid AppleTalk frame - dustbin time */ goto drop; /* Check the packet is aimed at us */ if (!ddp->deh_dnet) /* Net 0 is 'this network' */ atif = atalk_find_anynet(ddp->deh_dnode, dev); else atif = atalk_find_interface(ddp->deh_dnet, ddp->deh_dnode); if (!atif) {
+ show +
57
58
59
60
61
62
63
64
/* Not ours, so we route the packet via the correct * AppleTalk iface */ atalk_route_packet(skb, dev, ddp, len_hops, origlen); return NET_RX_SUCCESS; } /* if IP over DDP is not selected this code will be optimized out */
+ show +
65
66
67
68
69
70
71
72
73
74
if (is_ip_over_ddp(skb)) return handle_ip_over_ddp(skb); /* * Which socket - atalk_search_socket() looks for a *full match* * of the <net, node, port> tuple. */ tosat.sat_addr.s_net = ddp->deh_dnet; tosat.sat_addr.s_node = ddp->deh_dnode; tosat.sat_port = ddp->deh_dport;

[linux_CVE-2009-3080_1255996513_gdth_read_event.diff] gdth_read_event_OLD.c #1
eindex = handle; estr->event_source = 0; - if (eindex >= MAX_EVENTS) { + if (eindex < 0 || eindex >= MAX_EVENTS) { spin_unlock_irqrestore(&ha->smp_lock, flags); return eindex; }
.\cloneFuncs\totalClone\Type-1\CVE-2009-3080_before_1mo_1239069673_gdth_read_event.c
2
3
4
5
6
7
8
9
10
11
{ gdth_evt_str *e; int eindex; ulong flags; TRACE2(("gdth_read_event() handle %d\n", handle)); spin_lock_irqsave(&ha->smp_lock, flags); if (handle == -1) eindex = eoldidx; else
+ show +
12
13
14
15
16
17
18
eindex = handle; estr->event_source = 0; if (eindex >= MAX_EVENTS) { spin_unlock_irqrestore(&ha->smp_lock, flags); return eindex; }
+ show +
19
20
21
22
23
24
25
26
27
28
e = &ebuffer[eindex]; if (e->event_source != 0) { if (eindex != elastidx) { if (++eindex == MAX_EVENTS) eindex = 0; } else { eindex = -1; } memcpy(estr, e, sizeof(gdth_evt_str)); }

[openssl_CVE-2009-3245_1266921395_ubsec_dh_generate_key.diff] ubsec_dh_generate_key_OLD.c #1
priv_key = BN_new(); if (priv_key == NULL) goto err; priv_key_len = BN_num_bits(dh->p); - bn_wexpand(priv_key, dh->p->top); + if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err; do if (!BN_rand_range(priv_key, dh->p)) goto err; while (BN_is_zero(priv_key));
.\cloneFuncs\totalClone\Type-1\CVE-2009-3245_before_1mo_1181222082_ubsec_dh_generate_key.c
8
9
10
11
12
13
14
15
16
17
BIGNUM *pub_key = NULL; BIGNUM *priv_key = NULL; /* * How many bits should Random x be? dh_key.c * sets the range from 0 to num_bits(modulus) ??? */ if (dh->priv_key == NULL) {
+ show +
18
19
20
21
22
23
24
priv_key = BN_new(); if (priv_key == NULL) goto err; priv_key_len = BN_num_bits(dh->p); bn_wexpand(priv_key, dh->p->top); do if (!BN_rand_range(priv_key, dh->p)) goto err; while (BN_is_zero(priv_key));
+ show +
25
26
27
28
29
30
31
32
33
34
random_bits = BN_num_bits(priv_key); } else { priv_key = dh->priv_key; } if (dh->pub_key == NULL) { pub_key = BN_new();

[openssl_CVE-2009-3245_1266921395_ubsec_dh_generate_key.diff] ubsec_dh_generate_key_OLD.c #2
{ pub_key = BN_new(); pub_key_len = BN_num_bits(dh->p); - bn_wexpand(pub_key, dh->p->top); + if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err; if(pub_key == NULL) goto err; } else
.\cloneFuncs\totalClone\Type-1\CVE-2009-3245_before_1mo_1181222082_ubsec_dh_generate_key.c
23
24
25
26
27
28
29
30
31
32
if (!BN_rand_range(priv_key, dh->p)) goto err; while (BN_is_zero(priv_key)); random_bits = BN_num_bits(priv_key); } else { priv_key = dh->priv_key; } if (dh->pub_key == NULL)
+ show +
33
34
35
36
37
38
39
{ pub_key = BN_new(); pub_key_len = BN_num_bits(dh->p); bn_wexpand(pub_key, dh->p->top); if(pub_key == NULL) goto err; } else
+ show +
40
41
42
43
44
45
46
47
48
49
{ pub_key = dh->pub_key; } if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) { const DH_METHOD *meth; UBSECerr(UBSEC_F_UBSEC_DH_GENERATE_KEY, UBSEC_R_UNIT_FAILURE); meth = DH_OpenSSL(); ret = meth->generate_key(dh);

[linux_CVE-2009-4307_1326214270_ext4_fill_flex_info.diff] ext4_fill_flex_info_OLD.c #1
struct ext4_group_desc *gdp = NULL; ext4_group_t flex_group_count; ext4_group_t flex_group; - int groups_per_flex = 0; + unsigned int groups_per_flex = 0; size_t size; int i; sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; - groups_per_flex = 1 << sbi->s_log_groups_per_flex; - - if (groups_per_flex < 2) { + if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) { sbi->s_log_groups_per_flex = 0; return 1; } + groups_per_flex = 1 << sbi->s_log_groups_per_flex; /* We allocate both existing and potentially added groups */ flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
.\cloneFuncs\totalClone\Type-1\CVE-2009-4307_before_1mo_1320681009_ext4_fill_flex_info.c
1
2
3
static int ext4_fill_flex_info(struct super_block *sb) { struct ext4_sb_info *sbi = EXT4_SB(sb);
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
struct ext4_group_desc *gdp = NULL; ext4_group_t flex_group_count; ext4_group_t flex_group; int groups_per_flex = 0; size_t size; int i; sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; groups_per_flex = 1 << sbi->s_log_groups_per_flex; if (groups_per_flex < 2) { sbi->s_log_groups_per_flex = 0; return 1; } /* We allocate both existing and potentially added groups */ flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
+ show +
21
22
23
24
25
26
27
28
29
30
((le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) + 1) << EXT4_DESC_PER_BLOCK_BITS(sb))) / groups_per_flex; size = flex_group_count * sizeof(struct flex_groups); sbi->s_flex_groups = ext4_kvzalloc(size, GFP_KERNEL); if (sbi->s_flex_groups == NULL) { ext4_msg(sb, KERN_ERR, "not enough memory for %u flex groups", flex_group_count); goto failed; }
.\cloneFuncs\totalClone\Type-3\CVE-2009-4307_before_6mo_1310351870_ext4_fill_flex_info.c
1
2
3
static int ext4_fill_flex_info(struct super_block *sb) { struct ext4_sb_info *sbi = EXT4_SB(sb);
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
struct ext4_group_desc *gdp = NULL; ext4_group_t flex_group_count; ext4_group_t flex_group; int groups_per_flex = 0; size_t size; int i; sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; groups_per_flex = 1 << sbi->s_log_groups_per_flex; if (groups_per_flex < 2) { sbi->s_log_groups_per_flex = 0; return 1; } /* We allocate both existing and potentially added groups */ flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
+ show +
21
22
23
24
25
26
27
28
29
30
((le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) + 1) << EXT4_DESC_PER_BLOCK_BITS(sb))) / groups_per_flex; size = flex_group_count * sizeof(struct flex_groups); sbi->s_flex_groups = kzalloc(size, GFP_KERNEL); if (sbi->s_flex_groups == NULL) { sbi->s_flex_groups = vzalloc(size); if (sbi->s_flex_groups == NULL) { ext4_msg(sb, KERN_ERR, "not enough memory for %u flex groups", flex_group_count);

[linux_CVE-2009-4537_1269893762_rtl8169_change_mtu.diff] rtl8169_change_mtu_OLD.c #1
rtl8169_down(dev); - rtl8169_set_rxbufsize(tp, dev); + rtl8169_set_rxbufsize(tp, dev->mtu); ret = rtl8169_init_ring(dev); if (ret < 0)
.\cloneFuncs\totalClone\Type-1\CVE-2009-4537_before_1mo_1266916789_rtl8169_change_mtu.c
4
5
6
7
8
9
10
11
12
13
int ret = 0; if (new_mtu < ETH_ZLEN || new_mtu > SafeMtu) return -EINVAL; dev->mtu = new_mtu; if (!netif_running(dev)) goto out;
+ show +
14
15
16
17
18
19
rtl8169_down(dev); rtl8169_set_rxbufsize(tp, dev); ret = rtl8169_init_ring(dev); if (ret < 0)
+ show +
20
21
22
23
24
25
26
27
28
29
goto out; napi_enable(&tp->napi); rtl_hw_start(dev); rtl8169_request_timer(dev); out: return ret;

[linux_CVE-2009-4537_1269893762_rtl8169_open.diff] rtl8169_open_OLD.c #1
int retval = -ENOMEM; - rtl8169_set_rxbufsize(tp, dev); + /* + * Note that we use a magic value here, its wierd I know + * its done because, some subset of rtl8169 hardware suffers from + * a problem in which frames received that are longer than + * the size set in RxMaxSize register return garbage sizes + * when received. To avoid this we need to turn off filtering, + * which is done by setting a value of 16383 in the RxMaxSize register + * and allocating 16k frames to handle the largest possible rx value + * thats what the magic math below does. + */ + rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN); /* * Rx and Tx desscriptors needs 256 bytes alignment.
.\cloneFuncs\totalClone\Type-1\CVE-2009-4537_before_1mo_1266916789_rtl8169_open.c
1
2
3
4
static int rtl8169_open(struct net_device *dev) { struct rtl8169_private *tp = netdev_priv(dev); struct pci_dev *pdev = tp->pci_dev;
+ show +
5
6
7
8
9
10
11
int retval = -ENOMEM; rtl8169_set_rxbufsize(tp, dev); /* * Rx and Tx desscriptors needs 256 bytes alignment.
+ show +
12
13
14
15
16
17
18
19
20
21
* pci_alloc_consistent provides more. */ tp->TxDescArray = pci_alloc_consistent(pdev, R8169_TX_RING_BYTES, &tp->TxPhyAddr); if (!tp->TxDescArray) goto out; tp->RxDescArray = pci_alloc_consistent(pdev, R8169_RX_RING_BYTES, &tp->RxPhyAddr); if (!tp->RxDescArray)

[linux_CVE-2009-4538_1263910559_e1000_clean_rx_irq.diff] e1000_clean_rx_irq_OLD.c #1
length = le16_to_cpu(rx_desc->length); - /* !EOP means multiple descriptors were used to store a single - * packet, also make sure the frame isn't just CRC only */ - if (!(status & E1000_RXD_STAT_EOP) || (length <= 4)) { + /* + * !EOP means multiple descriptors were used to store a single + * packet, if that's the case we need to toss it. In fact, we + * need to toss every packet with the EOP bit clear and the + * next frame that _does_ have the EOP bit set, as it is by + * definition only a frame fragment + */ + if (unlikely(!(status & E1000_RXD_STAT_EOP))) + adapter->flags2 |= FLAG2_IS_DISCARDING; + + if (adapter->flags2 & FLAG2_IS_DISCARDING) { /* All receives must fit into a single buffer */ e_dbg("Receive packet consumed multiple buffers\n"); /* recycle */ buffer_info->skb = skb; + if (status & E1000_RXD_STAT_EOP) + adapter->flags2 &= ~FLAG2_IS_DISCARDING; goto next_desc; }
.\cloneFuncs\totalClone\Type-1\CVE-2009-4538_before_1mo_1260257261_e1000_clean_rx_irq.c
40
41
42
43
44
45
46
47
48
49
next_buffer = &rx_ring->buffer_info[i]; cleaned = 1; cleaned_count++; pci_unmap_single(pdev, buffer_info->dma, adapter->rx_buffer_len, PCI_DMA_FROMDEVICE); buffer_info->dma = 0;
+ show +
50
51
52
53
54
55
56
57
58
59
60
length = le16_to_cpu(rx_desc->length); /* !EOP means multiple descriptors were used to store a single * packet, also make sure the frame isn't just CRC only */ if (!(status & E1000_RXD_STAT_EOP) || (length <= 4)) { /* All receives must fit into a single buffer */ e_dbg("Receive packet consumed multiple buffers\n"); /* recycle */ buffer_info->skb = skb; goto next_desc; }
+ show +
61
62
63
64
65
66
67
68
69
70
if (rx_desc->errors & E1000_RXD_ERR_FRAME_ERR_MASK) { /* recycle */ buffer_info->skb = skb; goto next_desc; } /* adjust length to remove Ethernet CRC */ if (!(adapter->flags2 & FLAG2_CRC_STRIPPING)) length -= 4;

[linux_CVE-2009-4538_1263910559_e1000_clean_rx_irq_ps.diff] e1000_clean_rx_irq_ps_OLD.c #1
PCI_DMA_FROMDEVICE); buffer_info->dma = 0; - if (!(staterr & E1000_RXD_STAT_EOP)) { + /* see !EOP comment in other rx routine */ + if (!(staterr & E1000_RXD_STAT_EOP)) + adapter->flags2 |= FLAG2_IS_DISCARDING; + + if (adapter->flags2 & FLAG2_IS_DISCARDING) { e_dbg("Packet Split buffers didn't pick up the full " "packet\n"); dev_kfree_skb_irq(skb); + if (staterr & E1000_RXD_STAT_EOP) + adapter->flags2 &= ~FLAG2_IS_DISCARDING; goto next_desc; }
.\cloneFuncs\totalClone\Type-1\CVE-2009-4538_before_1mo_1260257261_e1000_clean_rx_irq_ps.c
34
35
36
37
38
39
40
41
42
43
i = 0; next_rxd = E1000_RX_DESC_PS(*rx_ring, i); prefetch(next_rxd); next_buffer = &rx_ring->buffer_info[i]; cleaned = 1; cleaned_count++; pci_unmap_single(pdev, buffer_info->dma, adapter->rx_ps_bsize0,
+ show +
44
45
46
47
48
49
50
51
52
PCI_DMA_FROMDEVICE); buffer_info->dma = 0; if (!(staterr & E1000_RXD_STAT_EOP)) { e_dbg("Packet Split buffers didn't pick up the full " "packet\n"); dev_kfree_skb_irq(skb); goto next_desc; }
+ show +
53
54
55
56
57
58
59
60
61
62
if (staterr & E1000_RXDEXT_ERR_FRAME_ERR_MASK) { dev_kfree_skb_irq(skb); goto next_desc; } length = le16_to_cpu(rx_desc->wb.middle.length0); if (!length) { e_dbg("Last part of the packet spanning multiple "

[linux_CVE-2010-2492_1279054757_ecryptfs_init_messaging.diff] ecryptfs_init_messaging_OLD.c #1
} mutex_init(&ecryptfs_daemon_hash_mux); mutex_lock(&ecryptfs_daemon_hash_mux); - ecryptfs_hash_buckets = 1; - while (ecryptfs_number_of_users >> ecryptfs_hash_buckets) - ecryptfs_hash_buckets++; + ecryptfs_hash_bits = 1; + while (ecryptfs_number_of_users >> ecryptfs_hash_bits) + ecryptfs_hash_bits++; ecryptfs_daemon_hash = kmalloc((sizeof(struct hlist_head) - * ecryptfs_hash_buckets), GFP_KERNEL); + * (1 << ecryptfs_hash_bits)), + GFP_KERNEL); if (!ecryptfs_daemon_hash) { rc = -ENOMEM; printk(KERN_ERR "%s: Failed to allocate memory\n", __func__); mutex_unlock(&ecryptfs_daemon_hash_mux); goto out; } - for (i = 0; i < ecryptfs_hash_buckets; i++) + for (i = 0; i < (1 << ecryptfs_hash_bits); i++) INIT_HLIST_HEAD(&ecryptfs_daemon_hash[i]); mutex_unlock(&ecryptfs_daemon_hash_mux); ecryptfs_msg_ctx_arr = kmalloc((sizeof(struct ecryptfs_msg_ctx)
.\cloneFuncs\totalClone\Type-1\CVE-2010-2492_before_1mo_1237144621_ecryptfs_init_messaging.c
1
2
3
4
5
6
7
8
9
10
int ecryptfs_init_messaging(void) { int i; int rc = 0; if (ecryptfs_number_of_users > ECRYPTFS_MAX_NUM_USERS) { ecryptfs_number_of_users = ECRYPTFS_MAX_NUM_USERS; printk(KERN_WARNING "%s: Specified number of users is " "too large, defaulting to [%d] users\n", __func__, ecryptfs_number_of_users);
+ show +
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
} mutex_init(&ecryptfs_daemon_hash_mux); mutex_lock(&ecryptfs_daemon_hash_mux); ecryptfs_hash_buckets = 1; while (ecryptfs_number_of_users >> ecryptfs_hash_buckets) ecryptfs_hash_buckets++; ecryptfs_daemon_hash = kmalloc((sizeof(struct hlist_head) * ecryptfs_hash_buckets), GFP_KERNEL); if (!ecryptfs_daemon_hash) { rc = -ENOMEM; printk(KERN_ERR "%s: Failed to allocate memory\n", __func__); mutex_unlock(&ecryptfs_daemon_hash_mux); goto out; } for (i = 0; i < ecryptfs_hash_buckets; i++) INIT_HLIST_HEAD(&ecryptfs_daemon_hash[i]); mutex_unlock(&ecryptfs_daemon_hash_mux); ecryptfs_msg_ctx_arr = kmalloc((sizeof(struct ecryptfs_msg_ctx)
+ show +
29
30
31
32
33
34
35
36
37
38
* ecryptfs_message_buf_len), GFP_KERNEL); if (!ecryptfs_msg_ctx_arr) { rc = -ENOMEM; printk(KERN_ERR "%s: Failed to allocate memory\n", __func__); goto out; } mutex_init(&ecryptfs_msg_ctx_lists_mux); mutex_lock(&ecryptfs_msg_ctx_lists_mux); ecryptfs_msg_counter = 0;

[linux_CVE-2010-2492_1279054757_ecryptfs_release_messaging.diff] ecryptfs_release_messaging_OLD.c #1
int i; mutex_lock(&ecryptfs_daemon_hash_mux); - for (i = 0; i < ecryptfs_hash_buckets; i++) { + for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { int rc; hlist_for_each_entry(daemon, elem,
.\cloneFuncs\totalClone\Type-1\CVE-2010-2492_before_1mo_1237144621_ecryptfs_release_messaging.c
9
10
11
12
13
14
15
16
17
18
if (ecryptfs_msg_ctx_arr[i].msg) kfree(ecryptfs_msg_ctx_arr[i].msg); mutex_unlock(&ecryptfs_msg_ctx_arr[i].mux); } kfree(ecryptfs_msg_ctx_arr); mutex_unlock(&ecryptfs_msg_ctx_lists_mux); } if (ecryptfs_daemon_hash) { struct hlist_node *elem; struct ecryptfs_daemon *daemon;
+ show +
19
20
21
22
23
24
25
int i; mutex_lock(&ecryptfs_daemon_hash_mux); for (i = 0; i < ecryptfs_hash_buckets; i++) { int rc; hlist_for_each_entry(daemon, elem,
+ show +
26
27
28
29
30
31
32
33
34
35
&ecryptfs_daemon_hash[i], euid_chain) { rc = ecryptfs_exorcise_daemon(daemon); if (rc) printk(KERN_ERR "%s: Error whilst " "attempting to destroy daemon; " "rc = [%d]. Dazed and confused, " "but trying to continue.\n", __func__, rc); }

[openssl_CVE-2014-3572_1414150233_ssl3_get_key_exchange.diff] ssl3_get_key_exchange_OLD.c #1
int encoded_pt_len = 0; #endif + EVP_MD_CTX_init(&md_ctx); + /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s,
.\cloneFuncs\totalClone\Type-1\CVE-2010-2939_after_1mo_1297877101_ssl3_get_key_exchange.c
12
13
14
15
16
17
18
19
20
21
RSA *rsa=NULL; #endif #ifndef OPENSSL_NO_DH DH *dh=NULL; #endif #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL; BN_CTX *bn_ctx = NULL; EC_POINT *srvr_ecpoint = NULL; int curve_nid = 0;
+ show +
22
23
24
25
26
27
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s,
+ show +
28
29
30
31
32
33
34
35
36
37
SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK
.\cloneFuncs\totalClone\Type-1\CVE-2010-2939_before_1mo_1282832632_ssl3_get_key_exchange.c
12
13
14
15
16
17
18
19
20
21
RSA *rsa=NULL; #endif #ifndef OPENSSL_NO_DH DH *dh=NULL; #endif #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL; BN_CTX *bn_ctx = NULL; EC_POINT *srvr_ecpoint = NULL; int curve_nid = 0;
+ show +
22
23
24
25
26
27
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s,
+ show +
28
29
30
31
32
33
34
35
36
37
SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK
.\cloneFuncs\totalClone\Type-1\CVE-2014-3572_before_1mo_1411300471_ssl3_get_key_exchange.c
13
14
15
16
17
18
19
20
21
22
RSA *rsa=NULL; #endif #ifndef OPENSSL_NO_DH DH *dh=NULL; #endif #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL; BN_CTX *bn_ctx = NULL; EC_POINT *srvr_ecpoint = NULL; int curve_nid = 0;
+ show +
23
24
25
26
27
28
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s,
+ show +
29
30
31
32
33
34
35
36
37
38
SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK
.\cloneFuncs\totalClone\Type-3\CVE-2010-2939_after_6mo_1304955841_ssl3_get_key_exchange.c
13
14
15
16
17
18
19
20
21
22
RSA *rsa=NULL; #endif #ifndef OPENSSL_NO_DH DH *dh=NULL; #endif #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL; BN_CTX *bn_ctx = NULL; EC_POINT *srvr_ecpoint = NULL; int curve_nid = 0;
+ show +
23
24
25
26
27
28
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s,
+ show +
29
30
31
32
33
34
35
36
37
38
SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK
.\cloneFuncs\totalClone\Type-3\CVE-2014-3572_before_6mo_1387114344_ssl3_get_key_exchange.c
13
14
15
16
17
18
19
20
21
22
RSA *rsa=NULL; #endif #ifndef OPENSSL_NO_DH DH *dh=NULL; #endif #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL; BN_CTX *bn_ctx = NULL; EC_POINT *srvr_ecpoint = NULL; int curve_nid = 0;
+ show +
23
24
25
26
27
28
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s,
+ show +
29
30
31
32
33
34
35
36
37
38
SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK

[openssl_CVE-2014-3572_1414150233_ssl3_get_key_exchange.diff] ssl3_get_key_exchange_OLD.c #2
&ok); if (!ok) return((int)n); + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; + if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + /* + * Can't skip server key exchange if this is an ephemeral + * ciphersuite. + */ + if (alg_k & (SSL_kDHE|SSL_kECDHE)) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); + al = SSL_AD_UNEXPECTED_MESSAGE; + goto f_err; + } #ifndef OPENSSL_NO_PSK /* In plain PSK ciphersuite, ServerKeyExchange can be omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ - if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) + if (alg_k & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint)
.\cloneFuncs\totalClone\Type-1\CVE-2010-2939_after_1mo_1297877101_ssl3_get_key_exchange.c
22
23
24
25
26
27
28
29
30
31
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list,
+ show +
32
33
34
35
36
37
38
39
40
41
42
43
44
45
&ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK /* In plain PSK ciphersuite, ServerKeyExchange can be omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint)
+ show +
46
47
48
49
50
51
52
53
54
55
OPENSSL_free(s->ctx->psk_identity_hint); s->ctx->psk_identity_hint = NULL; } #endif s->s3->tmp.reuse_message=1; return(1); } param=p=(unsigned char *)s->init_msg; if (s->session->sess_cert != NULL)
.\cloneFuncs\totalClone\Type-1\CVE-2010-2939_before_1mo_1282832632_ssl3_get_key_exchange.c
22
23
24
25
26
27
28
29
30
31
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list,
+ show +
32
33
34
35
36
37
38
39
40
41
42
43
44
45
&ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK /* In plain PSK ciphersuite, ServerKeyExchange can be omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint)
+ show +
46
47
48
49
50
51
52
53
54
55
OPENSSL_free(s->ctx->psk_identity_hint); s->ctx->psk_identity_hint = NULL; } #endif s->s3->tmp.reuse_message=1; return(1); } param=p=(unsigned char *)s->init_msg; if (s->session->sess_cert != NULL)
.\cloneFuncs\totalClone\Type-1\CVE-2014-3572_before_1mo_1411300471_ssl3_get_key_exchange.c
23
24
25
26
27
28
29
30
31
32
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list,
+ show +
33
34
35
36
37
38
39
40
41
42
43
44
45
46
&ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK /* In plain PSK ciphersuite, ServerKeyExchange can be omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint)
+ show +
47
48
49
50
51
52
53
54
55
56
OPENSSL_free(s->ctx->psk_identity_hint); s->ctx->psk_identity_hint = NULL; } #endif s->s3->tmp.reuse_message=1; return(1); } param=p=(unsigned char *)s->init_msg; if (s->session->sess_cert != NULL)
.\cloneFuncs\totalClone\Type-3\CVE-2010-2939_after_6mo_1304955841_ssl3_get_key_exchange.c
23
24
25
26
27
28
29
30
31
32
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list,
+ show +
33
34
35
36
37
38
39
40
41
42
43
44
45
46
&ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK /* In plain PSK ciphersuite, ServerKeyExchange can be omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint)
+ show +
47
48
49
50
51
52
53
54
55
56
OPENSSL_free(s->ctx->psk_identity_hint); s->ctx->psk_identity_hint = NULL; } #endif s->s3->tmp.reuse_message=1; return(1); } param=p=(unsigned char *)s->init_msg; if (s->session->sess_cert != NULL)
.\cloneFuncs\totalClone\Type-3\CVE-2014-3572_before_6mo_1387114344_ssl3_get_key_exchange.c
23
24
25
26
27
28
29
30
31
32
int encoded_pt_len = 0; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list,
+ show +
33
34
35
36
37
38
39
40
41
42
43
44
45
46
&ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK /* In plain PSK ciphersuite, ServerKeyExchange can be omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint)
+ show +
47
48
49
50
51
52
53
54
55
56
OPENSSL_free(s->ctx->psk_identity_hint); s->ctx->psk_identity_hint = NULL; } #endif s->s3->tmp.reuse_message=1; return(1); } param=p=(unsigned char *)s->init_msg; if (s->session->sess_cert != NULL)

[openssl_CVE-2010-2939_1286712947_ssl3_get_key_exchange.diff] ssl3_get_key_exchange_OLD.c #1
s->session->sess_cert->peer_ecdh_tmp=ecdh; ecdh=NULL; BN_CTX_free(bn_ctx); + bn_ctx = NULL; EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; }
.\cloneFuncs\totalClone\Type-1\CVE-2010-2939_before_1mo_1282832632_ssl3_get_key_exchange.c
350
351
352
353
354
355
356
357
358
359
#ifndef OPENSSL_NO_RSA else if (alg_a & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); #endif #ifndef OPENSSL_NO_ECDSA else if (alg_a & SSL_aECDSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); #endif /* else anonymous ECDH, so no certificate or pkey. */ EC_KEY_set_public_key(ecdh, srvr_ecpoint);
+ show +
360
361
362
363
364
365
s->session->sess_cert->peer_ecdh_tmp=ecdh; ecdh=NULL; BN_CTX_free(bn_ctx); EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; }
+ show +
366
367
368
369
370
371
372
373
374
375
else if (alg_k) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); goto f_err; } #endif /* !OPENSSL_NO_ECDH */ /* p points to the next byte, there are 'n' bytes left */

[linux_CVE-2010-2960_1284109191_keyctl_session_to_parent.diff] keyctl_session_to_parent_OLD.c #1
goto not_permitted; /* the keyrings must have the same UID */ - if (pcred->tgcred->session_keyring->uid != mycred->euid || + if ((pcred->tgcred->session_keyring && + pcred->tgcred->session_keyring->uid != mycred->euid) || mycred->tgcred->session_keyring->uid != mycred->euid) goto not_permitted;
.\cloneFuncs\totalClone\Type-1\CVE-2010-2960_before_imd_1284109186_keyctl_session_to_parent.c
46
47
48
49
50
51
52
53
54
55
goto already_same; /* the parent must have the same effective ownership and mustn't be * SUID/SGID */ if (pcred->uid != mycred->euid || pcred->euid != mycred->euid || pcred->suid != mycred->euid || pcred->gid != mycred->egid || pcred->egid != mycred->egid || pcred->sgid != mycred->egid)
+ show +
56
57
58
59
60
61
goto not_permitted; /* the keyrings must have the same UID */ if (pcred->tgcred->session_keyring->uid != mycred->euid || mycred->tgcred->session_keyring->uid != mycred->euid) goto not_permitted;
+ show +
62
63
64
65
66
67
68
69
70
71
/* if there's an already pending keyring replacement, then we replace * that */ oldcred = parent->replacement_session_keyring; /* the replacement session keyring is applied just prior to userspace * restarting */ parent->replacement_session_keyring = cred; cred = NULL; set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
.\cloneFuncs\totalClone\Type-3\CVE-2010-2960_before_1mo_1277730304_keyctl_session_to_parent.c
45
46
47
48
49
50
51
52
53
54
goto already_same; /* the parent must have the same effective ownership and mustn't be * SUID/SGID */ if (pcred->uid != mycred->euid || pcred->euid != mycred->euid || pcred->suid != mycred->euid || pcred->gid != mycred->egid || pcred->egid != mycred->egid || pcred->sgid != mycred->egid)
+ show +
55
56
57
58
59
60
goto not_permitted; /* the keyrings must have the same UID */ if (pcred->tgcred->session_keyring->uid != mycred->euid || mycred->tgcred->session_keyring->uid != mycred->euid) goto not_permitted;
+ show +
61
62
63
64
65
66
67
68
69
70
/* if there's an already pending keyring replacement, then we replace * that */ oldcred = parent->replacement_session_keyring; /* the replacement session keyring is applied just prior to userspace * restarting */ parent->replacement_session_keyring = cred; cred = NULL; set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
.\cloneFuncs\totalClone\Type-3\CVE-2010-2960_before_6mo_1260732094_keyctl_session_to_parent.c
45
46
47
48
49
50
51
52
53
54
goto already_same; /* the parent must have the same effective ownership and mustn't be * SUID/SGID */ if (pcred-> uid != mycred->euid || pcred->euid != mycred->euid || pcred->suid != mycred->euid || pcred-> gid != mycred->egid || pcred->egid != mycred->egid || pcred->sgid != mycred->egid)
+ show +
55
56
57
58
59
60
goto not_permitted; /* the keyrings must have the same UID */ if (pcred ->tgcred->session_keyring->uid != mycred->euid || mycred->tgcred->session_keyring->uid != mycred->euid) goto not_permitted;
+ show +
61
62
63
64
65
66
67
68
69
70
/* the LSM must permit the replacement of the parent's keyring with the * keyring from this process */ ret = security_key_session_to_parent(mycred, pcred, key_ref_to_ptr(keyring_r)); if (ret < 0) goto not_permitted; /* if there's an already pending keyring replacement, then we replace * that */

[linux_CVE-2010-2962_1285530605_i915_gem_pread_ioctl.diff] i915_gem_pread_ioctl_OLD.c #1
*/ if (args->offset > obj->size || args->size > obj->size || args->offset + args->size > obj->size) { - drm_gem_object_unreference_unlocked(obj); - return -EINVAL; + ret = -EINVAL; + goto err; + } + + if (!access_ok(VERIFY_WRITE, + (char __user *)(uintptr_t)args->data_ptr, + args->size)) { + ret = -EFAULT; + goto err; } if (i915_gem_object_needs_bit17_swizzle(obj)) {
.\cloneFuncs\totalClone\Type-1\CVE-2010-2962_before_1mo_1282500207_i915_gem_pread_ioctl.c
8
9
10
11
12
13
14
15
16
17
int ret; obj = drm_gem_object_lookup(dev, file_priv, args->handle); if (obj == NULL) return -ENOENT; obj_priv = to_intel_bo(obj); /* Bounds check source. * * XXX: This could use review for overflow issues...
+ show +
18
19
20
21
22
23
24
25
*/ if (args->offset > obj->size || args->size > obj->size || args->offset + args->size > obj->size) { drm_gem_object_unreference_unlocked(obj); return -EINVAL; } if (i915_gem_object_needs_bit17_swizzle(obj)) {
+ show +
26
27
28
29
30
31
32
33
34
35
ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv); } else { ret = i915_gem_shmem_pread_fast(dev, obj, args, file_priv); if (ret != 0) ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv); } drm_gem_object_unreference_unlocked(obj);
.\cloneFuncs\totalClone\Type-2\CVE-2010-2962_before_6mo_1269417851_i915_gem_pread_ioctl.c
8
9
10
11
12
13
14
15
16
17
int ret; obj = drm_gem_object_lookup(dev, file_priv, args->handle); if (obj == NULL) return -EBADF; obj_priv = obj->driver_private; /* Bounds check source. * * XXX: This could use review for overflow issues...
+ show +
18
19
20
21
22
23
24
25
*/ if (args->offset > obj->size || args->size > obj->size || args->offset + args->size > obj->size) { drm_gem_object_unreference_unlocked(obj); return -EINVAL; } if (i915_gem_object_needs_bit17_swizzle(obj)) {
+ show +
26
27
28
29
30
31
32
33
34
35
ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv); } else { ret = i915_gem_shmem_pread_fast(dev, obj, args, file_priv); if (ret != 0) ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv); } drm_gem_object_unreference_unlocked(obj);

[linux_CVE-2010-2962_1285530605_i915_gem_pwrite_ioctl.diff] i915_gem_pwrite_ioctl_OLD.c #1
*/ if (args->offset > obj->size || args->size > obj->size || args->offset + args->size > obj->size) { - drm_gem_object_unreference_unlocked(obj); - return -EINVAL; + ret = -EINVAL; + goto err; + } + + if (!access_ok(VERIFY_READ, + (char __user *)(uintptr_t)args->data_ptr, + args->size)) { + ret = -EFAULT; + goto err; } /* We can only do the GTT pwrite on untiled buffers, as otherwise
.\cloneFuncs\totalClone\Type-1\CVE-2010-2962_before_1mo_1282500207_i915_gem_pwrite_ioctl.c
8
9
10
11
12
13
14
15
16
17
int ret = 0; obj = drm_gem_object_lookup(dev, file_priv, args->handle); if (obj == NULL) return -ENOENT; obj_priv = to_intel_bo(obj); /* Bounds check destination. * * XXX: This could use review for overflow issues...
+ show +
18
19
20
21
22
23
24
25
*/ if (args->offset > obj->size || args->size > obj->size || args->offset + args->size > obj->size) { drm_gem_object_unreference_unlocked(obj); return -EINVAL; } /* We can only do the GTT pwrite on untiled buffers, as otherwise
+ show +
26
27
28
29
30
31
32
33
34
35
* it would end up going through the fenced access, and we'll get * different detiling behavior between reading and writing. * pread/pwrite currently are reading and writing from the CPU * perspective, requiring manual detiling by the client. */ if (obj_priv->phys_obj) ret = i915_gem_phys_pwrite(dev, obj, args, file_priv); else if (obj_priv->tiling_mode == I915_TILING_NONE && dev->gtt_total != 0 && obj->write_domain != I915_GEM_DOMAIN_CPU) {
.\cloneFuncs\totalClone\Type-3\CVE-2010-2962_before_6mo_1269417851_i915_gem_pwrite_ioctl.c
8
9
10
11
12
13
14
15
16
17
int ret = 0; obj = drm_gem_object_lookup(dev, file_priv, args->handle); if (obj == NULL) return -EBADF; obj_priv = obj->driver_private; /* Bounds check destination. * * XXX: This could use review for overflow issues...
+ show +
18
19
20
21
22
23
24
25
*/ if (args->offset > obj->size || args->size > obj->size || args->offset + args->size > obj->size) { drm_gem_object_unreference_unlocked(obj); return -EINVAL; } /* We can only do the GTT pwrite on untiled buffers, as otherwise
+ show +
26
27
28
29
30
31
32
33
34
35
* it would end up going through the fenced access, and we'll get * different detiling behavior between reading and writing. * pread/pwrite currently are reading and writing from the CPU * perspective, requiring manual detiling by the client. */ if (obj_priv->phys_obj) ret = i915_gem_phys_pwrite(dev, obj, args, file_priv); else if (obj_priv->tiling_mode == I915_TILING_NONE && dev->gtt_total != 0) { ret = i915_gem_gtt_pwrite_fast(dev, obj, args, file_priv);

[linux_CVE-2010-3079_1284075299_t_start.diff] t_start_OLD.c #1
if (*pos > 0) return t_hash_start(m, pos); iter->flags |= FTRACE_ITER_PRINTALL; + /* reset in case of seek/pread */ + iter->flags &= ~FTRACE_ITER_HASH; return iter; }
.\cloneFuncs\totalClone\Type-1\CVE-2010-3079_before_1mo_1275572210_t_start.c
4
5
6
7
8
9
10
11
12
13
void *p = NULL; loff_t l; mutex_lock(&ftrace_lock); /* * For set_ftrace_filter reading, if we have the filter * off, we can short cut and just print out that all * functions are enabled. */ if (iter->flags & FTRACE_ITER_FILTER && !ftrace_filtered) {
+ show +
14
15
16
17
18
if (*pos > 0) return t_hash_start(m, pos); iter->flags |= FTRACE_ITER_PRINTALL; return iter; }
+ show +
19
20
21
22
23
24
25
26
27
28
if (iter->flags & FTRACE_ITER_HASH) return t_hash_start(m, pos); iter->pg = ftrace_pages_start; iter->idx = 0; for (l = 0; l <= *pos; ) { p = t_next(m, p, &l); if (!p) break;

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_15_16BPP.diff] flic_decode_frame_15_16BPP_OLD.c #1
int pixel_countdown; unsigned char *pixels; int pixel; - int pixel_limit; + unsigned int pixel_limit; s->frame.reference = 1; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_15_16BPP.c
17
18
19
20
21
22
23
24
25
26
int chunk_type; int i, j; int lines; int compressed_lines; signed short line_packets; int y_ptr; int byte_run; int pixel_skip;
+ show +
27
28
29
30
31
32
33
int pixel_countdown; unsigned char *pixels; int pixel; int pixel_limit; s->frame.reference = 1; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+ show +
34
35
36
37
38
39
40
41
42
43
if (avctx->reget_buffer(avctx, &s->frame) < 0) { av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } pixels = s->frame.data[0]; pixel_limit = s->avctx->height * s->frame.linesize[0]; frame_size = AV_RL32(&buf[stream_ptr]); stream_ptr += 6; /* skip the magic number */

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_15_16BPP.diff] flic_decode_frame_15_16BPP_OLD.c #2
} else { compressed_lines--; pixel_ptr = y_ptr; + CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_15_16BPP.c
67
68
69
70
71
72
73
74
75
76
case FLI_DTA_LC: y_ptr = 0; compressed_lines = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; while (compressed_lines > 0) { line_packets = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; if (line_packets < 0) { line_packets = -line_packets; y_ptr += line_packets * s->frame.linesize[0];
+ show +
77
78
79
80
81
82
} else { compressed_lines--; pixel_ptr = y_ptr; pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */
+ show +
83
84
85
86
87
88
89
90
91
92
pixel_skip = buf[stream_ptr++]; pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */ pixel_countdown -= pixel_skip; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run < 0) { byte_run = -byte_run; pixel = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_8BPP.c
121
122
123
124
125
126
127
128
129
130
stream_ptr += 2; if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; y_ptr += line_packets * s->frame.linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) { av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); } else if ((line_packets & 0xC000) == 0x8000) { // "last byte" opcode pixels[y_ptr + s->frame.linesize[0] - 1] = line_packets & 0xff;
+ show +
131
132
133
134
135
136
} else { compressed_lines--; pixel_ptr = y_ptr; pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */
+ show +
137
138
139
140
141
142
143
144
145
146
pixel_skip = buf[stream_ptr++]; pixel_ptr += pixel_skip; pixel_countdown -= pixel_skip; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run < 0) { byte_run = -byte_run; palette_idx1 = buf[stream_ptr++]; palette_idx2 = buf[stream_ptr++]; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_15_16BPP.diff] flic_decode_frame_15_16BPP_OLD.c #3
byte_run = -byte_run; pixel = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; - CHECK_PIXEL_PTR(byte_run); + CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) { *((signed short*)(&pixels[pixel_ptr])) = pixel; pixel_ptr += 2; } } else { - CHECK_PIXEL_PTR(byte_run); + CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]); stream_ptr += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_15_16BPP.c
78
79
80
81
82
83
84
85
86
87
compressed_lines--; pixel_ptr = y_ptr; pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ pixel_skip = buf[stream_ptr++]; pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */ pixel_countdown -= pixel_skip; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run < 0) {
+ show +
88
89
90
91
92
93
94
95
96
97
98
99
100
byte_run = -byte_run; pixel = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) { *((signed short*)(&pixels[pixel_ptr])) = pixel; pixel_ptr += 2; } } else { CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]); stream_ptr += 2;
+ show +
101
102
103
104
105
106
107
108
109
110
pixel_ptr += 2; } } } y_ptr += s->frame.linesize[0]; } } break;

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_15_16BPP.diff] flic_decode_frame_15_16BPP_OLD.c #4
if (byte_run > 0) { pixel = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; - CHECK_PIXEL_PTR(byte_run); + CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = pixel; pixel_ptr += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_15_16BPP.c
175
176
177
178
179
180
181
182
183
184
y_ptr = 0; for (lines = 0; lines < s->avctx->height; lines++) { pixel_ptr = y_ptr; /* disregard the line packets; instead, iterate through all * pixels on a row */ stream_ptr++; pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */ while (pixel_countdown > 0) { byte_run = (signed char)(buf[stream_ptr++]);
+ show +
185
186
187
188
189
190
191
if (byte_run > 0) { pixel = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = pixel; pixel_ptr += 2;
+ show +
192
193
194
195
196
197
198
199
200
201
pixel_countdown--; if (pixel_countdown < 0) av_log(avctx, AV_LOG_ERROR, "pixel_countdown < 0 (%d)\n", pixel_countdown); } } else { /* copy pixels if byte_run < 0 */ byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_15_16BPP.diff] flic_decode_frame_15_16BPP_OLD.c #5
} } else { /* copy pixels if byte_run < 0 */ byte_run = -byte_run; - CHECK_PIXEL_PTR(byte_run); + CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]); stream_ptr += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_15_16BPP.c
186
187
188
189
190
191
192
193
194
195
pixel = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = pixel; pixel_ptr += 2; pixel_countdown--; if (pixel_countdown < 0) av_log(avctx, AV_LOG_ERROR, "pixel_countdown < 0 (%d)\n", pixel_countdown);
+ show +
196
197
198
199
200
201
202
} } else { /* copy pixels if byte_run < 0 */ byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]); stream_ptr += 2;
+ show +
203
204
205
206
207
208
209
210
211
212
pixel_ptr += 2; pixel_countdown--; if (pixel_countdown < 0) av_log(avctx, AV_LOG_ERROR, "pixel_countdown < 0 (%d)\n", pixel_countdown); } } } y_ptr += s->frame.linesize[0];

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_8BPP.diff] flic_decode_frame_8BPP_OLD.c #1
int pixel_skip; int pixel_countdown; unsigned char *pixels; - int pixel_limit; + unsigned int pixel_limit; s->frame.reference = 1; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_8BPP.c
23
24
25
26
27
28
29
30
31
32
int color_changes; int color_shift; unsigned char r, g, b; int lines; int compressed_lines; int starting_line; signed short line_packets; int y_ptr; int byte_run;
+ show +
33
34
35
36
37
38
39
int pixel_skip; int pixel_countdown; unsigned char *pixels; int pixel_limit; s->frame.reference = 1; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+ show +
40
41
42
43
44
45
46
47
48
49
if (avctx->reget_buffer(avctx, &s->frame) < 0) { av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } pixels = s->frame.data[0]; pixel_limit = s->avctx->height * s->frame.linesize[0]; frame_size = AV_RL32(&buf[stream_ptr]); stream_ptr += 6; /* skip the magic number */

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_8BPP.diff] flic_decode_frame_8BPP_OLD.c #2
av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); } else if ((line_packets & 0xC000) == 0x8000) { // "last byte" opcode - pixels[y_ptr + s->frame.linesize[0] - 1] = line_packets & 0xff; + pixel_ptr= y_ptr + s->frame.linesize[0] - 1; + CHECK_PIXEL_PTR(0); + pixels[pixel_ptr] = line_packets & 0xff; } else { compressed_lines--; pixel_ptr = y_ptr; + CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_8BPP.c
117
118
119
120
121
122
123
124
125
126
compressed_lines = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; while (compressed_lines > 0) { line_packets = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; y_ptr += line_packets * s->frame.linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) {
+ show +
127
128
129
130
131
132
133
134
135
136
av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); } else if ((line_packets & 0xC000) == 0x8000) { // "last byte" opcode pixels[y_ptr + s->frame.linesize[0] - 1] = line_packets & 0xff; } else { compressed_lines--; pixel_ptr = y_ptr; pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */
+ show +
137
138
139
140
141
142
143
144
145
146
pixel_skip = buf[stream_ptr++]; pixel_ptr += pixel_skip; pixel_countdown -= pixel_skip; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run < 0) { byte_run = -byte_run; palette_idx1 = buf[stream_ptr++]; palette_idx2 = buf[stream_ptr++]; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_8BPP.diff] flic_decode_frame_8BPP_OLD.c #3
byte_run = -byte_run; palette_idx1 = buf[stream_ptr++]; palette_idx2 = buf[stream_ptr++]; - CHECK_PIXEL_PTR(byte_run); + CHECK_PIXEL_PTR(byte_run * 2); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) { pixels[pixel_ptr++] = palette_idx1; pixels[pixel_ptr++] = palette_idx2;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_8BPP.c
132
133
134
135
136
137
138
139
140
141
compressed_lines--; pixel_ptr = y_ptr; pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ pixel_skip = buf[stream_ptr++]; pixel_ptr += pixel_skip; pixel_countdown -= pixel_skip; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run < 0) {
+ show +
142
143
144
145
146
147
148
byte_run = -byte_run; palette_idx1 = buf[stream_ptr++]; palette_idx2 = buf[stream_ptr++]; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) { pixels[pixel_ptr++] = palette_idx1; pixels[pixel_ptr++] = palette_idx2;
+ show +
149
150
151
152
153
154
155
156
157
158
} } else { CHECK_PIXEL_PTR(byte_run * 2); for (j = 0; j < byte_run * 2; j++, pixel_countdown--) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; } } }

[ffmpeg_CVE-2010-3429_1285600576_flic_decode_frame_8BPP.diff] flic_decode_frame_8BPP_OLD.c #4
stream_ptr += 2; while (compressed_lines > 0) { pixel_ptr = y_ptr; + CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; line_packets = buf[stream_ptr++]; if (line_packets > 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2010-3429_before_1mo_1269991855_flic_decode_frame_8BPP.c
162
163
164
165
166
167
168
169
170
171
break; case FLI_LC: /* line compressed */ starting_line = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; y_ptr = 0; y_ptr += starting_line * s->frame.linesize[0]; compressed_lines = AV_RL16(&buf[stream_ptr]);
+ show +
172
173
174
175
176
177
stream_ptr += 2; while (compressed_lines > 0) { pixel_ptr = y_ptr; pixel_countdown = s->avctx->width; line_packets = buf[stream_ptr++]; if (line_packets > 0) {
+ show +
178
179
180
181
182
183
184
185
186
187
for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ pixel_skip = buf[stream_ptr++]; pixel_ptr += pixel_skip; pixel_countdown -= pixel_skip; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run > 0) { CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { palette_idx1 = buf[stream_ptr++];

[linux_CVE-2010-3698_1287499615_vmx_save_host_state.diff] vmx_save_host_state_OLD.c #1
*/ vmx->host_state.ldt_sel = kvm_read_ldt(); vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel; - vmx->host_state.fs_sel = kvm_read_fs(); + savesegment(fs, vmx->host_state.fs_sel); if (!(vmx->host_state.fs_sel & 7)) { vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel); vmx->host_state.fs_reload_needed = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3698_before_1mo_1280158358_vmx_save_host_state.c
3
4
5
6
7
8
9
10
11
12
struct vcpu_vmx *vmx = to_vmx(vcpu); int i; if (vmx->host_state.loaded) return; vmx->host_state.loaded = 1; /* * Set host fs and gs selectors. Unfortunately, 22.2.3 does not * allow segment selectors with cpl > 0 or ti == 1.
+ show +
13
14
15
16
17
18
19
*/ vmx->host_state.ldt_sel = kvm_read_ldt(); vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel; vmx->host_state.fs_sel = kvm_read_fs(); if (!(vmx->host_state.fs_sel & 7)) { vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel); vmx->host_state.fs_reload_needed = 0;
+ show +
20
21
22
23
24
25
26
27
28
29
} else { vmcs_write16(HOST_FS_SELECTOR, 0); vmx->host_state.fs_reload_needed = 1; } vmx->host_state.gs_sel = kvm_read_gs(); if (!(vmx->host_state.gs_sel & 7)) vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel); else { vmcs_write16(HOST_GS_SELECTOR, 0); vmx->host_state.gs_ldt_reload_needed = 1;

[linux_CVE-2010-3698_1287499615_vmx_save_host_state.diff] vmx_save_host_state_OLD.c #2
vmcs_write16(HOST_FS_SELECTOR, 0); vmx->host_state.fs_reload_needed = 1; } - vmx->host_state.gs_sel = kvm_read_gs(); + savesegment(gs, vmx->host_state.gs_sel); if (!(vmx->host_state.gs_sel & 7)) vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel); else {
.\cloneFuncs\totalClone\Type-1\CVE-2010-3698_before_1mo_1280158358_vmx_save_host_state.c
11
12
13
14
15
16
17
18
19
20
* Set host fs and gs selectors. Unfortunately, 22.2.3 does not * allow segment selectors with cpl > 0 or ti == 1. */ vmx->host_state.ldt_sel = kvm_read_ldt(); vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel; vmx->host_state.fs_sel = kvm_read_fs(); if (!(vmx->host_state.fs_sel & 7)) { vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel); vmx->host_state.fs_reload_needed = 0; } else {
+ show +
21
22
23
24
25
26
27
vmcs_write16(HOST_FS_SELECTOR, 0); vmx->host_state.fs_reload_needed = 1; } vmx->host_state.gs_sel = kvm_read_gs(); if (!(vmx->host_state.gs_sel & 7)) vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel); else {
+ show +
28
29
30
31
32
33
34
35
36
37
vmcs_write16(HOST_GS_SELECTOR, 0); vmx->host_state.gs_ldt_reload_needed = 1; } #ifdef CONFIG_X86_64 vmcs_writel(HOST_FS_BASE, read_msr(MSR_FS_BASE)); vmcs_writel(HOST_GS_BASE, read_msr(MSR_GS_BASE)); #else vmcs_writel(HOST_FS_BASE, segment_base(vmx->host_state.fs_sel)); vmcs_writel(HOST_GS_BASE, segment_base(vmx->host_state.gs_sel));

[linux_CVE-2010-3698_1287499615_vmx_vcpu_setup.diff] vmx_vcpu_setup_OLD.c #1
vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */ - vmcs_write16(HOST_FS_SELECTOR, kvm_read_fs()); /* 22.2.4 */ - vmcs_write16(HOST_GS_SELECTOR, kvm_read_gs()); /* 22.2.4 */ + vmcs_write16(HOST_FS_SELECTOR, 0); /* 22.2.4 */ + vmcs_write16(HOST_GS_SELECTOR, 0); /* 22.2.4 */ vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ #ifdef CONFIG_X86_64 rdmsrl(MSR_FS_BASE, a);
.\cloneFuncs\totalClone\Type-1\CVE-2010-3698_before_1mo_1280158358_vmx_vcpu_setup.c
60
61
62
63
64
65
66
67
68
69
} vmcs_write32(PAGE_FAULT_ERROR_CODE_MASK, !!bypass_guest_pf); vmcs_write32(PAGE_FAULT_ERROR_CODE_MATCH, !!bypass_guest_pf); vmcs_write32(CR3_TARGET_COUNT, 0); /* 22.2.1 */ vmcs_writel(HOST_CR0, read_cr0() | X86_CR0_TS); /* 22.2.3 */ vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */ vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
+ show +
70
71
72
73
74
75
76
77
vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */ vmcs_write16(HOST_FS_SELECTOR, kvm_read_fs()); /* 22.2.4 */ vmcs_write16(HOST_GS_SELECTOR, kvm_read_gs()); /* 22.2.4 */ vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ #ifdef CONFIG_X86_64 rdmsrl(MSR_FS_BASE, a);
+ show +
78
79
80
81
82
83
84
85
86
87
vmcs_writel(HOST_FS_BASE, a); /* 22.2.4 */ rdmsrl(MSR_GS_BASE, a); vmcs_writel(HOST_GS_BASE, a); /* 22.2.4 */ #else vmcs_writel(HOST_FS_BASE, 0); /* 22.2.4 */ vmcs_writel(HOST_GS_BASE, 0); /* 22.2.4 */ #endif vmcs_write16(HOST_TR_SELECTOR, GDT_ENTRY_TSS*8); /* 22.2.4 */
.\cloneFuncs\totalClone\Type-3\CVE-2010-3698_before_6mo_1270739975_vmx_vcpu_setup.c
60
61
62
63
64
65
66
67
68
69
} vmcs_write32(PAGE_FAULT_ERROR_CODE_MASK, !!bypass_guest_pf); vmcs_write32(PAGE_FAULT_ERROR_CODE_MATCH, !!bypass_guest_pf); vmcs_write32(CR3_TARGET_COUNT, 0); /* 22.2.1 */ vmcs_writel(HOST_CR0, read_cr0()); /* 22.2.3 */ vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */ vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
+ show +
70
71
72
73
74
75
76
77
vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */ vmcs_write16(HOST_FS_SELECTOR, kvm_read_fs()); /* 22.2.4 */ vmcs_write16(HOST_GS_SELECTOR, kvm_read_gs()); /* 22.2.4 */ vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ #ifdef CONFIG_X86_64 rdmsrl(MSR_FS_BASE, a);
+ show +
78
79
80
81
82
83
84
85
86
87
vmcs_writel(HOST_FS_BASE, a); /* 22.2.4 */ rdmsrl(MSR_GS_BASE, a); vmcs_writel(HOST_GS_BASE, a); /* 22.2.4 */ #else vmcs_writel(HOST_FS_BASE, 0); /* 22.2.4 */ vmcs_writel(HOST_GS_BASE, 0); /* 22.2.4 */ #endif vmcs_write16(HOST_TR_SELECTOR, GDT_ENTRY_TSS*8); /* 22.2.4 */

[linux_CVE-2010-3699_1290665300_frontend_changed.diff] frontend_changed_OLD.c #1
if (dev->state == XenbusStateConnected) break; + /* Enforce precondition before potential leak point. + * blkif_disconnect() is idempotent. + */ + blkif_disconnect(be->blkif); + err = connect_ring(be); if (err) break;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3699_before_imd_1279741305_frontend_changed.c
13
14
15
16
17
18
19
20
21
22
__FUNCTION__, dev->nodename); xenbus_switch_state(dev, XenbusStateInitWait); } break; case XenbusStateInitialised: case XenbusStateConnected: /* Ensure we connect even when two watches fire in close successsion and we miss the intermediate value of frontend_state. */
+ show +
23
24
25
26
27
28
if (dev->state == XenbusStateConnected) break; err = connect_ring(be); if (err) break;
+ show +
29
30
31
32
33
34
35
36
37
38
update_blkif_status(be->blkif); break; case XenbusStateClosing: blkif_disconnect(be->blkif); xenbus_switch_state(dev, XenbusStateClosing); break; case XenbusStateClosed: xenbus_switch_state(dev, XenbusStateClosed);

[linux_CVE-2010-3699_1290665300_frontend_changed.diff] frontend_changed_OLD.c #2
break; /* fall through if not online */ case XenbusStateUnknown: + /* implies blkif_disconnect() via blkback_remove() */ device_unregister(&dev->dev); break;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3699_before_imd_1279741305_frontend_changed.c
30
31
32
33
34
35
36
37
38
39
break; case XenbusStateClosing: blkif_disconnect(be->blkif); xenbus_switch_state(dev, XenbusStateClosing); break; case XenbusStateClosed: xenbus_switch_state(dev, XenbusStateClosed); if (xenbus_dev_is_online(dev))
+ show +
40
41
42
43
44
break; /* fall through if not online */ case XenbusStateUnknown: device_unregister(&dev->dev); break;
+ show +
45
46
47
48
49
50
51
default: xenbus_dev_fatal(dev, -EINVAL, "saw state %d at frontend", frontend_state); break; } }

[linux_CVE-2010-3848_1290628307_econet_sendmsg.diff] econet_sendmsg_OLD.c #1
#endif #ifdef CONFIG_ECONET_AUNUDP struct msghdr udpmsg; - struct iovec iov[msg->msg_iovlen+1]; + struct iovec iov[2]; struct aunhdr ah; struct sockaddr_in udpdest; __kernel_size_t size; - int i; mm_segment_t oldfs; + char *userbuf; #endif /*
.\cloneFuncs\totalClone\Type-1\CVE-2010-3848_before_imd_1290628193_econet_sendmsg.c
3
4
5
6
7
8
9
10
11
12
{ struct sock *sk = sock->sk; struct sockaddr_ec *saddr=(struct sockaddr_ec *)msg->msg_name; struct net_device *dev; struct ec_addr addr; int err; unsigned char port, cb; #if defined(CONFIG_ECONET_AUNUDP) || defined(CONFIG_ECONET_NATIVE) struct sk_buff *skb; struct ec_cb *eb;
+ show +
13
14
15
16
17
18
19
20
21
22
23
24
#endif #ifdef CONFIG_ECONET_AUNUDP struct msghdr udpmsg; struct iovec iov[msg->msg_iovlen+1]; struct aunhdr ah; struct sockaddr_in udpdest; __kernel_size_t size; int i; mm_segment_t oldfs; #endif /*
+ show +
25
26
27
28
29
30
31
32
33
34
* Check the flags. */ if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT)) return -EINVAL; /* * Get and verify the address. */
.\cloneFuncs\totalClone\Type-3\CVE-2010-3848_before_1mo_1285188237_econet_sendmsg.c
3
4
5
6
7
8
9
10
11
12
{ struct sock *sk = sock->sk; struct sockaddr_ec *saddr=(struct sockaddr_ec *)msg->msg_name; struct net_device *dev; struct ec_addr addr; int err; unsigned char port, cb; #if defined(CONFIG_ECONET_AUNUDP) || defined(CONFIG_ECONET_NATIVE) struct sk_buff *skb; struct ec_cb *eb;
+ show +
13
14
15
16
17
18
19
20
21
22
23
24
#endif #ifdef CONFIG_ECONET_AUNUDP struct msghdr udpmsg; struct iovec iov[msg->msg_iovlen+1]; struct aunhdr ah; struct sockaddr_in udpdest; __kernel_size_t size; int i; mm_segment_t oldfs; #endif /*
+ show +
25
26
27
28
29
30
31
32
33
34
* Check the flags. */ if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT)) return -EINVAL; /* * Get and verify the address. */
.\cloneFuncs\totalClone\Type-3\CVE-2010-3848_before_6mo_1269417851_econet_sendmsg.c
3
4
5
6
7
8
9
10
11
12
{ struct sock *sk = sock->sk; struct sockaddr_ec *saddr=(struct sockaddr_ec *)msg->msg_name; struct net_device *dev; struct ec_addr addr; int err; unsigned char port, cb; #if defined(CONFIG_ECONET_AUNUDP) || defined(CONFIG_ECONET_NATIVE) struct sk_buff *skb; struct ec_cb *eb;
+ show +
13
14
15
16
17
18
19
20
21
22
23
24
#endif #ifdef CONFIG_ECONET_AUNUDP struct msghdr udpmsg; struct iovec iov[msg->msg_iovlen+1]; struct aunhdr ah; struct sockaddr_in udpdest; __kernel_size_t size; int i; mm_segment_t oldfs; #endif /*
+ show +
25
26
27
28
29
30
31
32
33
34
* Check the flags. */ if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT)) return -EINVAL; /* * Get and verify the address. */

[linux_CVE-2010-3848_1290628307_econet_sendmsg.diff] econet_sendmsg_OLD.c #2
} } - if (len + 15 > dev->mtu) { - mutex_unlock(&econet_mutex); - return -EMSGSIZE; - } - if (dev->type == ARPHRD_ECONET) { /* Real hardware Econet. We're not worthy etc. */ #ifdef CONFIG_ECONET_NATIVE unsigned short proto = 0; int res; + if (len + 15 > dev->mtu) { + mutex_unlock(&econet_mutex); + return -EMSGSIZE; + } + dev_hold(dev); skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
.\cloneFuncs\totalClone\Type-1\CVE-2010-3848_before_imd_1290628193_econet_sendmsg.c
46
47
48
49
50
51
52
53
54
55
/* Look for a device with the right network number. */ dev = net2dev_map[addr.net]; /* If not directly reachable, use some default */ if (dev == NULL) { dev = net2dev_map[0]; /* No interfaces at all? */ if (dev == NULL) { mutex_unlock(&econet_mutex); return -ENETDOWN;
+ show +
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
} } if (len + 15 > dev->mtu) { mutex_unlock(&econet_mutex); return -EMSGSIZE; } if (dev->type == ARPHRD_ECONET) { /* Real hardware Econet. We're not worthy etc. */ #ifdef CONFIG_ECONET_NATIVE unsigned short proto = 0; int res; dev_hold(dev); skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
+ show +
73
74
75
76
77
78
79
80
81
82
msg->msg_flags & MSG_DONTWAIT, &err); if (skb==NULL) goto out_unlock; skb_reserve(skb, LL_RESERVED_SPACE(dev)); skb_reset_network_header(skb); eb = (struct ec_cb *)&skb->cb; eb->cookie = saddr->cookie;
.\cloneFuncs\totalClone\Type-3\CVE-2010-3848_before_1mo_1285188237_econet_sendmsg.c
55
56
57
58
59
60
61
62
63
64
/* Look for a device with the right network number. */ dev = net2dev_map[addr.net]; /* If not directly reachable, use some default */ if (dev == NULL) { dev = net2dev_map[0]; /* No interfaces at all? */ if (dev == NULL) { mutex_unlock(&econet_mutex); return -ENETDOWN;
+ show +
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
} } if (len + 15 > dev->mtu) { mutex_unlock(&econet_mutex); return -EMSGSIZE; } if (dev->type == ARPHRD_ECONET) { /* Real hardware Econet. We're not worthy etc. */ #ifdef CONFIG_ECONET_NATIVE unsigned short proto = 0; int res; dev_hold(dev); skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
+ show +
82
83
84
85
86
87
88
89
90
91
msg->msg_flags & MSG_DONTWAIT, &err); if (skb==NULL) goto out_unlock; skb_reserve(skb, LL_RESERVED_SPACE(dev)); skb_reset_network_header(skb); eb = (struct ec_cb *)&skb->cb; /* BUG: saddr may be NULL */
.\cloneFuncs\totalClone\Type-3\CVE-2010-3848_before_6mo_1269417851_econet_sendmsg.c
55
56
57
58
59
60
61
62
63
64
/* Look for a device with the right network number. */ dev = net2dev_map[addr.net]; /* If not directly reachable, use some default */ if (dev == NULL) { dev = net2dev_map[0]; /* No interfaces at all? */ if (dev == NULL) { mutex_unlock(&econet_mutex); return -ENETDOWN;
+ show +
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
} } if (len + 15 > dev->mtu) { mutex_unlock(&econet_mutex); return -EMSGSIZE; } if (dev->type == ARPHRD_ECONET) { /* Real hardware Econet. We're not worthy etc. */ #ifdef CONFIG_ECONET_NATIVE unsigned short proto = 0; int res; dev_hold(dev); skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
+ show +
82
83
84
85
86
87
88
89
90
91
msg->msg_flags & MSG_DONTWAIT, &err); if (skb==NULL) goto out_unlock; skb_reserve(skb, LL_RESERVED_SPACE(dev)); skb_reset_network_header(skb); eb = (struct ec_cb *)&skb->cb; /* BUG: saddr may be NULL */

[linux_CVE-2010-3848_1290628307_econet_sendmsg.diff] econet_sendmsg_OLD.c #3
return -ENETDOWN; /* No socket - can't send */ } + if (len > 32768) { + err = -E2BIG; + goto error; + } + /* Make up a UDP datagram and hand it off to some higher intellect. */ memset(&udpdest, 0, sizeof(udpdest));
.\cloneFuncs\totalClone\Type-1\CVE-2010-3848_before_imd_1290628193_econet_sendmsg.c
132
133
134
135
136
137
138
139
140
141
mutex_unlock(&econet_mutex); return err; } #ifdef CONFIG_ECONET_AUNUDP /* AUN virtual Econet. */ if (udpsock == NULL) { mutex_unlock(&econet_mutex);
+ show +
142
143
144
145
146
147
return -ENETDOWN; /* No socket - can't send */ } /* Make up a UDP datagram and hand it off to some higher intellect. */ memset(&udpdest, 0, sizeof(udpdest));
+ show +
148
149
150
151
152
153
154
155
156
157
udpdest.sin_family = AF_INET; udpdest.sin_port = htons(AUN_PORT); /* At the moment we use the stupid Acorn scheme of Econet address y.x maps to IP a.b.c.x. This should be replaced with something more flexible and more aware of subnet masks. */ { struct in_device *idev; unsigned long network = 0;
.\cloneFuncs\totalClone\Type-3\CVE-2010-3848_before_1mo_1285188237_econet_sendmsg.c
142
143
144
145
146
147
148
149
150
151
mutex_unlock(&econet_mutex); return err; } #ifdef CONFIG_ECONET_AUNUDP /* AUN virtual Econet. */ if (udpsock == NULL) { mutex_unlock(&econet_mutex);
+ show +
152
153
154
155
156
157
return -ENETDOWN; /* No socket - can't send */ } /* Make up a UDP datagram and hand it off to some higher intellect. */ memset(&udpdest, 0, sizeof(udpdest));
+ show +
158
159
160
161
162
163
164
165
166
167
udpdest.sin_family = AF_INET; udpdest.sin_port = htons(AUN_PORT); /* At the moment we use the stupid Acorn scheme of Econet address y.x maps to IP a.b.c.x. This should be replaced with something more flexible and more aware of subnet masks. */ { struct in_device *idev; unsigned long network = 0;
.\cloneFuncs\totalClone\Type-3\CVE-2010-3848_before_6mo_1269417851_econet_sendmsg.c
142
143
144
145
146
147
148
149
150
151
mutex_unlock(&econet_mutex); return err; } #ifdef CONFIG_ECONET_AUNUDP /* AUN virtual Econet. */ if (udpsock == NULL) { mutex_unlock(&econet_mutex);
+ show +
152
153
154
155
156
157
return -ENETDOWN; /* No socket - can't send */ } /* Make up a UDP datagram and hand it off to some higher intellect. */ memset(&udpdest, 0, sizeof(udpdest));
+ show +
158
159
160
161
162
163
164
165
166
167
udpdest.sin_family = AF_INET; udpdest.sin_port = htons(AUN_PORT); /* At the moment we use the stupid Acorn scheme of Econet address y.x maps to IP a.b.c.x. This should be replaced with something more flexible and more aware of subnet masks. */ { struct in_device *idev; unsigned long network = 0;

[linux_CVE-2010-3848_1290628307_econet_sendmsg.diff] econet_sendmsg_OLD.c #5
udpmsg.msg_name = (void *)&udpdest; udpmsg.msg_namelen = sizeof(udpdest); udpmsg.msg_iov = &iov[0]; - udpmsg.msg_iovlen = msg->msg_iovlen + 1; + udpmsg.msg_iovlen = 2; udpmsg.msg_control = NULL; udpmsg.msg_controllen = 0; udpmsg.msg_flags=0;
.\cloneFuncs\totalClone\Type-1\CVE-2010-3848_before_imd_1290628193_econet_sendmsg.c
208
209
210
211
212
213
214
215
216
217
eb->cookie = saddr->cookie; eb->timeout = (5*HZ); eb->start = jiffies; ah.handle = aun_seq; eb->seq = (aun_seq++); eb->sec = *saddr; skb_queue_tail(&aun_queue, skb);
+ show +
218
219
220
221
222
223
224
udpmsg.msg_name = (void *)&udpdest; udpmsg.msg_namelen = sizeof(udpdest); udpmsg.msg_iov = &iov[0]; udpmsg.msg_iovlen = msg->msg_iovlen + 1; udpmsg.msg_control = NULL; udpmsg.msg_controllen = 0; udpmsg.msg_flags=0;
+ show +
225
226
227
228
229
230
231
232
233
234
oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */ err = sock_sendmsg(udpsock, &udpmsg, size); set_fs(oldfs); #else err = -EPROTOTYPE; #endif mutex_unlock(&econet_mutex); return err;
.\cloneFuncs\totalClone\Type-3\CVE-2010-3848_before_1mo_1285188237_econet_sendmsg.c
218
219
220
221
222
223
224
225
226
227
eb->cookie = saddr->cookie; eb->timeout = (5*HZ); eb->start = jiffies; ah.handle = aun_seq; eb->seq = (aun_seq++); eb->sec = *saddr; skb_queue_tail(&aun_queue, skb);
+ show +
228
229
230
231
232
233
234
udpmsg.msg_name = (void *)&udpdest; udpmsg.msg_namelen = sizeof(udpdest); udpmsg.msg_iov = &iov[0]; udpmsg.msg_iovlen = msg->msg_iovlen + 1; udpmsg.msg_control = NULL; udpmsg.msg_controllen = 0; udpmsg.msg_flags=0;
+ show +
235
236
237
238
239
240
241
242
243
244
oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */ err = sock_sendmsg(udpsock, &udpmsg, size); set_fs(oldfs); #else err = -EPROTOTYPE; #endif mutex_unlock(&econet_mutex); return err;
.\cloneFuncs\totalClone\Type-3\CVE-2010-3848_before_6mo_1269417851_econet_sendmsg.c
218
219
220
221
222
223
224
225
226
227
eb->cookie = saddr->cookie; eb->timeout = (5*HZ); eb->start = jiffies; ah.handle = aun_seq; eb->seq = (aun_seq++); eb->sec = *saddr; skb_queue_tail(&aun_queue, skb);
+ show +
228
229
230
231
232
233
234
udpmsg.msg_name = (void *)&udpdest; udpmsg.msg_namelen = sizeof(udpdest); udpmsg.msg_iov = &iov[0]; udpmsg.msg_iovlen = msg->msg_iovlen + 1; udpmsg.msg_control = NULL; udpmsg.msg_controllen = 0; udpmsg.msg_flags=0;
+ show +
235
236
237
238
239
240
241
242
243
244
oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */ err = sock_sendmsg(udpsock, &udpmsg, size); set_fs(oldfs); #else err = -EPROTOTYPE; #endif mutex_unlock(&econet_mutex); return err;

[linux_CVE-2010-3849_1291329081_do_exit.diff] do_exit_OLD.c #1
if (unlikely(!tsk->pid)) panic("Attempted to kill the idle task!"); + /* + * If do_exit is called because this processes oopsed, it's possible + * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before + * continuing. Amongst other possible reasons, this is to prevent + * mm_release()->clear_child_tid() from writing to a user-controlled + * kernel address. + */ + set_fs(USER_DS); + tracehook_report_exit(&code); validate_creds_for_do_exit(tsk);
.\cloneFuncs\totalClone\Type-1\CVE-2010-3849_before_1mo_1288218850_do_exit.c
2
3
4
5
6
7
8
9
10
11
{ struct task_struct *tsk = current; int group_dead; profile_task_exit(tsk); WARN_ON(atomic_read(&tsk->fs_excl)); if (unlikely(in_interrupt())) panic("Aiee, killing interrupt handler!");
+ show +
12
13
14
15
16
17
if (unlikely(!tsk->pid)) panic("Attempted to kill the idle task!"); tracehook_report_exit(&code); validate_creds_for_do_exit(tsk);
+ show +
18
19
20
21
22
23
24
25
26
27
/* * We're taking recursive faults here in do_exit. Safest is to just * leave this task alone and wait for reboot. */ if (unlikely(tsk->flags & PF_EXITING)) { printk(KERN_ALERT "Fixing recursive fault but reboot is needed!\n"); /* * We can do this unlocked here. The futex code uses

[linux_CVE-2010-3850_1290628193_ec_dev_ioctl.diff] ec_dev_ioctl_OLD.c #1
err = 0; switch (cmd) { case SIOCSIFADDR: + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + edev = dev->ec_ptr; if (edev == NULL) { /* Magic up a new one. */
.\cloneFuncs\totalClone\Type-1\CVE-2010-3850_before_1mo_1285188237_ec_dev_ioctl.c
13
14
15
16
17
18
19
20
21
22
if (copy_from_user(&ifr, arg, sizeof(struct ifreq))) return -EFAULT; if ((dev = dev_get_by_name(&init_net, ifr.ifr_name)) == NULL) return -ENODEV; sec = (struct sockaddr_ec *)&ifr.ifr_addr; mutex_lock(&econet_mutex);
+ show +
23
24
25
26
27
28
err = 0; switch (cmd) { case SIOCSIFADDR: edev = dev->ec_ptr; if (edev == NULL) { /* Magic up a new one. */
+ show +
29
30
31
32
33
34
35
36
37
38
edev = kzalloc(sizeof(struct ec_device), GFP_KERNEL); if (edev == NULL) { err = -ENOMEM; break; } dev->ec_ptr = edev; } else net2dev_map[edev->net] = NULL; edev->station = sec->addr.station; edev->net = sec->addr.net;

[openssl_CVE-2010-4180_1296729780_ssl3_get_client_hello.diff] ssl3_get_client_hello_OLD.c #1
break; } } +/* Disabled because it can be used in a ciphersuite downgrade + * attack: CVE-2010-4180. + */ +#if 0 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Special case as client bug workaround: the previously used cipher may
.\cloneFuncs\totalClone\Type-1\CVE-2010-4180_before_1mo_1283706841_ssl3_get_client_hello.c
190
191
192
193
194
195
196
197
198
199
for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) { c=sk_SSL_CIPHER_value(ciphers,i); #ifdef CIPHER_DEBUG printf("client [%2d of %2d]:%s\n", i,sk_num(ciphers),SSL_CIPHER_get_name(c)); #endif if (c->id == id) { j=1;
+ show +
200
201
202
203
204
205
break; } } if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Special case as client bug workaround: the previously used cipher may
+ show +
206
207
208
209
210
211
212
213
214
215
* not be in the current list, the client instead might be trying to * continue using a cipher that before wasn't chosen due to server * preferences. We'll have to reject the connection if the cipher is not * enabled, though. */ c = sk_SSL_CIPHER_value(ciphers, 0); if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) { s->session->cipher = c; j = 1; }
.\cloneFuncs\totalClone\Type-3\CVE-2010-4180_before_6mo_1280311615_ssl3_get_client_hello.c
190
191
192
193
194
195
196
197
198
199
for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) { c=sk_SSL_CIPHER_value(ciphers,i); #ifdef CIPHER_DEBUG printf("client [%2d of %2d]:%s\n", i,sk_num(ciphers),SSL_CIPHER_get_name(c)); #endif if (c->id == id) { j=1;
+ show +
200
201
202
203
204
205
break; } } if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Special case as client bug workaround: the previously used cipher may
+ show +
206
207
208
209
210
211
212
213
214
215
* not be in the current list, the client instead might be trying to * continue using a cipher that before wasn't chosen due to server * preferences. We'll have to reject the connection if the cipher is not * enabled, though. */ c = sk_SSL_CIPHER_value(ciphers, 0); if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) { s->session->cipher = c; j = 1; }

[openssl_CVE-2010-4180_1296729780_ssl3_get_client_hello.diff] ssl3_get_client_hello_OLD.c #2
j = 1; } } +#endif if (j == 0) { /* we need to have the cipher in the cipher
.\cloneFuncs\totalClone\Type-1\CVE-2010-4180_before_1mo_1283706841_ssl3_get_client_hello.c
204
205
206
207
208
209
210
211
212
213
{ /* Special case as client bug workaround: the previously used cipher may * not be in the current list, the client instead might be trying to * continue using a cipher that before wasn't chosen due to server * preferences. We'll have to reject the connection if the cipher is not * enabled, though. */ c = sk_SSL_CIPHER_value(ciphers, 0); if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) { s->session->cipher = c;
+ show +
214
215
216
217
218
219
j = 1; } } if (j == 0) { /* we need to have the cipher in the cipher
+ show +
220
221
222
223
224
225
226
227
228
229
* list if we are asked to reuse it */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); goto f_err; } } /* compression */ i= *(p++); if ((p+i) > (d+n))
.\cloneFuncs\totalClone\Type-3\CVE-2010-4180_before_6mo_1280311615_ssl3_get_client_hello.c
204
205
206
207
208
209
210
211
212
213
{ /* Special case as client bug workaround: the previously used cipher may * not be in the current list, the client instead might be trying to * continue using a cipher that before wasn't chosen due to server * preferences. We'll have to reject the connection if the cipher is not * enabled, though. */ c = sk_SSL_CIPHER_value(ciphers, 0); if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) { s->session->cipher = c;
+ show +
214
215
216
217
218
219
j = 1; } } if (j == 0) { /* we need to have the cipher in the cipher
+ show +
220
221
222
223
224
225
226
227
228
229
* list if we are asked to reuse it */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); goto f_err; } } /* compression */ i= *(p++); if ((p+i) > (d+n))

[libtiff_CVE-2011-0192_1583019539_Fax3SetupState.diff] Fax3SetupState_OLD.c #1
int needsRefLine; Fax3CodecState* dsp = (Fax3CodecState*) Fax3State(tif); tmsize_t rowbytes; - uint32 rowpixels, nruns; + uint32 rowpixels; if (td->td_bitspersample != 1) { TIFFErrorExt(tif->tif_clientdata, module,
.\cloneFuncs\totalClone\Type-1\CVE-2011-0192_before_1mo_1512061356_Fax3SetupState.c
1
2
3
4
5
6
static int Fax3SetupState(TIFF* tif) { static const char module[] = "Fax3SetupState"; TIFFDirectory* td = &tif->tif_dir; Fax3BaseState* sp = Fax3State(tif);
+ show +
7
8
9
10
11
12
13
int needsRefLine; Fax3CodecState* dsp = (Fax3CodecState*) Fax3State(tif); tmsize_t rowbytes; uint32 rowpixels, nruns; if (td->td_bitspersample != 1) { TIFFErrorExt(tif->tif_clientdata, module,
+ show +
14
15
16
17
18
19
20
21
22
23
"Bits/sample must be 1 for Group 3/4 encoding/decoding"); return (0); } /* * Calculate the scanline/tile widths. */ if (isTiled(tif)) { rowbytes = TIFFTileRowSize(tif); rowpixels = td->td_tilewidth; } else {

[libtiff_CVE-2011-0192_1583019539_Fax3SetupState.diff] Fax3SetupState_OLD.c #2
TIFFroundup and TIFFSafeMultiply return zero on integer overflow */ dsp->runs=(uint32*) NULL; - nruns = TIFFroundup_32(rowpixels,32); + dsp->nruns = TIFFroundup_32(rowpixels,32); if (needsRefLine) { - nruns = TIFFSafeMultiply(uint32,nruns,2); + dsp->nruns = TIFFSafeMultiply(uint32,dsp->nruns,2); } - if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) { + if ((dsp->nruns == 0) || (TIFFSafeMultiply(uint32,dsp->nruns,2) == 0)) { TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Row pixels integer overflow (rowpixels %u)", rowpixels); return (0); } dsp->runs = (uint32*) _TIFFCheckMalloc(tif, - TIFFSafeMultiply(uint32,nruns,2), + TIFFSafeMultiply(uint32,dsp->nruns,2), sizeof (uint32), "for Group 3/4 run arrays"); if (dsp->runs == NULL) return (0); - memset( dsp->runs, 0, TIFFSafeMultiply(uint32,nruns,2)*sizeof(uint32)); + memset( dsp->runs, 0, TIFFSafeMultiply(uint32,dsp->nruns,2)*sizeof(uint32)); dsp->curruns = dsp->runs; if (needsRefLine) - dsp->refruns = dsp->runs + nruns; + dsp->refruns = dsp->runs + dsp->nruns; else dsp->refruns = NULL; if (td->td_compression == COMPRESSION_CCITTFAX3
.\cloneFuncs\totalClone\Type-1\CVE-2011-0192_before_1mo_1512061356_Fax3SetupState.c
30
31
32
33
34
35
36
37
38
39
* Allocate any additional space required for decoding/encoding. */ needsRefLine = ( (sp->groupoptions & GROUP3OPT_2DENCODING) || td->td_compression == COMPRESSION_CCITTFAX4 ); /* Assure that allocation computations do not overflow.
+ show +
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
TIFFroundup and TIFFSafeMultiply return zero on integer overflow */ dsp->runs=(uint32*) NULL; nruns = TIFFroundup_32(rowpixels,32); if (needsRefLine) { nruns = TIFFSafeMultiply(uint32,nruns,2); } if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) { TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Row pixels integer overflow (rowpixels %u)", rowpixels); return (0); } dsp->runs = (uint32*) _TIFFCheckMalloc(tif, TIFFSafeMultiply(uint32,nruns,2), sizeof (uint32), "for Group 3/4 run arrays"); if (dsp->runs == NULL) return (0); memset( dsp->runs, 0, TIFFSafeMultiply(uint32,nruns,2)*sizeof(uint32)); dsp->curruns = dsp->runs; if (needsRefLine) dsp->refruns = dsp->runs + nruns; else dsp->refruns = NULL; if (td->td_compression == COMPRESSION_CCITTFAX3
+ show +
66
67
68
69
70
71
72
73
74
75
&& is2DEncoding(dsp)) { /* NB: default is 1D routine */ tif->tif_decoderow = Fax3Decode2D; tif->tif_decodestrip = Fax3Decode2D; tif->tif_decodetile = Fax3Decode2D; } if (needsRefLine) { /* 2d encoding */ Fax3CodecState* esp = EncoderState(tif); /* * 2d encoding requires a scanline

[linux_CVE-2011-0726_1300923773_do_task_stat.diff] do_task_stat_OLD.c #1
vsize, mm ? get_mm_rss(mm) : 0, rsslim, - mm ? mm->start_code : 0, - mm ? mm->end_code : 0, + mm ? (permitted ? mm->start_code : 1) : 0, + mm ? (permitted ? mm->end_code : 1) : 0, (permitted && mm) ? mm->start_stack : 0, esp, eip,
.\cloneFuncs\totalClone\Type-1\CVE-2011-0726_before_1mo_1294880432_do_task_stat.c
120
121
122
123
124
125
126
127
128
129
maj_flt, cmaj_flt, cputime_to_clock_t(utime), cputime_to_clock_t(stime), cputime_to_clock_t(cutime), cputime_to_clock_t(cstime), priority, nice, num_threads, start_time,
+ show +
130
131
132
133
134
135
136
137
vsize, mm ? get_mm_rss(mm) : 0, rsslim, mm ? mm->start_code : 0, mm ? mm->end_code : 0, (permitted && mm) ? mm->start_stack : 0, esp, eip,
+ show +
138
139
140
141
142
143
144
145
146
147
/* The signal information here is obsolete. * It must be decimal for Linux 2.0 compatibility. * Use /proc/#/status for real-time signals. */ task->pending.signal.sig[0] & 0x7fffffffUL, task->blocked.sig[0] & 0x7fffffffUL, sigign .sig[0] & 0x7fffffffUL, sigcatch .sig[0] & 0x7fffffffUL, wchan, 0UL,

[linux_CVE-2011-1013_1298500506_drm_modeset_ctl.diff] drm_modeset_ctl_OLD.c #1
struct drm_file *file_priv) { struct drm_modeset_ctl *modeset = data; - int crtc, ret = 0; + int ret = 0; + unsigned int crtc; /* If drm_vblank_init() hasn't been called yet, just no-op */ if (!dev->num_crtcs)
.\cloneFuncs\totalClone\Type-1\CVE-2011-1013_before_1mo_1294180268_drm_modeset_ctl.c
1
int drm_modeset_ctl(struct drm_device *dev, void *data,
+ show +
2
3
4
5
6
7
8
struct drm_file *file_priv) { struct drm_modeset_ctl *modeset = data; int crtc, ret = 0; /* If drm_vblank_init() hasn't been called yet, just no-op */ if (!dev->num_crtcs)
+ show +
9
10
11
12
13
14
15
16
17
18
goto out; crtc = modeset->crtc; if (crtc >= dev->num_crtcs) { ret = -EINVAL; goto out; } switch (modeset->cmd) { case _DRM_PRE_MODESET:

[linux_CVE-2011-1076_1299151738_dns_resolver_instantiate.diff] dns_resolver_instantiate_OLD.c #1
size_t result_len = 0; const char *data = _data, *end, *opt; - kenter("%%%d,%s,'%s',%zu", - key->serial, key->description, data, datalen); + kenter("%%%d,%s,'%*.*s',%zu", + key->serial, key->description, + (int)datalen, (int)datalen, data, datalen); if (datalen <= 1 || !data || data[datalen - 1] != '\0') return -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2011-1076_before_imd_1281515878_dns_resolver_instantiate.c
1
2
3
4
5
6
static int dns_resolver_instantiate(struct key *key, const void *_data, size_t datalen) { struct user_key_payload *upayload; unsigned long derrno; int ret;
+ show +
7
8
9
10
11
12
13
14
size_t result_len = 0; const char *data = _data, *end, *opt; kenter("%%%d,%s,'%s',%zu", key->serial, key->description, data, datalen); if (datalen <= 1 || !data || data[datalen - 1] != '\0') return -EINVAL;
+ show +
15
16
17
18
19
20
21
22
23
24
datalen--; /* deal with any options embedded in the data */ end = data + datalen; opt = memchr(data, '#', datalen); if (!opt) { /* no options: the entire data is the result */ kdebug("no options"); result_len = datalen; } else {

[linux_CVE-2011-1079_1555053870_do_hidp_sock_ioctl.diff] do_hidp_sock_ioctl_OLD.c #1
sockfd_put(csock); return err; } + ca.name[sizeof(ca.name)-1] = 0; err = hidp_connection_add(&ca, csock, isock); if (!err && copy_to_user(argp, &ca, sizeof(ca)))
.\cloneFuncs\totalClone\Type-1\CVE-2011-1079_before_imd_1534470955_do_hidp_sock_ioctl.c
17
18
19
20
21
22
23
24
25
26
if (copy_from_user(&ca, argp, sizeof(ca))) return -EFAULT; csock = sockfd_lookup(ca.ctrl_sock, &err); if (!csock) return err; isock = sockfd_lookup(ca.intr_sock, &err); if (!isock) {
+ show +
27
28
29
30
31
32
sockfd_put(csock); return err; } err = hidp_connection_add(&ca, csock, isock); if (!err && copy_to_user(argp, &ca, sizeof(ca)))
+ show +
33
34
35
36
37
38
39
40
41
42
err = -EFAULT; sockfd_put(csock); sockfd_put(isock); return err; case HIDPCONNDEL: if (!capable(CAP_NET_ADMIN)) return -EPERM;

[linux_CVE-2011-1161_1504884092_tpm_common_write.diff] tpm_common_write_OLD.c #1
return -EFAULT; } + if (in_size < 6 || + in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) { + mutex_unlock(&priv->buffer_mutex); + return -EINVAL; + } + /* atomic tpm command send and result receive. We only hold the ops * lock during this period so that the tpm can be unregistered even if * the char dev is held open.
.\cloneFuncs\totalClone\Type-1\CVE-2011-1161_before_imd_1484104133_tpm_common_write.c
13
14
15
16
17
18
19
20
21
22
return -EBUSY; if (in_size > TPM_BUFSIZE) return -E2BIG; mutex_lock(&priv->buffer_mutex); if (copy_from_user (priv->data_buffer, (void __user *) buf, in_size)) { mutex_unlock(&priv->buffer_mutex);
+ show +
23
24
25
26
27
28
return -EFAULT; } /* atomic tpm command send and result receive. We only hold the ops * lock during this period so that the tpm can be unregistered even if * the char dev is held open.
+ show +
29
30
31
32
33
34
35
36
37
38
*/ if (tpm_try_get_ops(priv->chip)) { mutex_unlock(&priv->buffer_mutex); return -EPIPE; } out_size = tpm_transmit(priv->chip, space, priv->data_buffer, sizeof(priv->data_buffer), 0); tpm_put_ops(priv->chip); if (out_size < 0) {

[linux_CVE-2011-1162_1316108862_tpm_read.diff] tpm_read_OLD.c #1
{ struct tpm_chip *chip = file->private_data; ssize_t ret_size; + int rc; del_singleshot_timer_sync(&chip->user_read_timer); flush_work_sync(&chip->work);
.\cloneFuncs\totalClone\Type-1\CVE-2011-1162_before_1mo_1301501614_tpm_read.c
1
2
ssize_t tpm_read(struct file *file, char __user *buf, size_t size, loff_t *off)
+ show +
3
4
5
6
7
8
{ struct tpm_chip *chip = file->private_data; ssize_t ret_size; del_singleshot_timer_sync(&chip->user_read_timer); flush_work_sync(&chip->work);
+ show +
9
10
11
12
13
14
15
16
17
18
ret_size = atomic_read(&chip->data_pending); atomic_set(&chip->data_pending, 0); if (ret_size > 0) { /* relay data */ if (size < ret_size) ret_size = size; mutex_lock(&chip->buffer_mutex); if (copy_to_user(buf, chip->data_buffer, ret_size)) ret_size = -EFAULT; mutex_unlock(&chip->buffer_mutex);

[xen_CVE-2011-1583_1304949657_xc_dom_probe_bzimage_kernel.diff] xc_dom_probe_bzimage_kernel_OLD.c #1
static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom) { struct setup_header *hdr; + uint64_t payload_offset, payload_length; int ret; if ( dom->kernel_blob == NULL )
.\cloneFuncs\totalClone\Type-1\CVE-2011-1583_before_1mo_1299687576_xc_dom_probe_bzimage_kernel.c
+ show +
1
2
3
4
5
6
static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom) { struct setup_header *hdr; int ret; if ( dom->kernel_blob == NULL )
+ show +
7
8
9
10
11
12
13
14
15
16
{ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, "%s: no kernel image loaded", __FUNCTION__); return -EINVAL; } if ( dom->kernel_size < sizeof(struct setup_header) ) { xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, "%s: kernel image too small", __FUNCTION__);
.\cloneFuncs\totalClone\Type-3\CVE-2011-1583_before_6mo_1282671779_xc_dom_probe_bzimage_kernel.c
+ show +
1
2
3
4
5
6
static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom) { struct setup_header *hdr; int ret; if ( dom->kernel_blob == NULL )
+ show +
7
8
9
10
11
12
13
14
15
16
{ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, "%s: no kernel image loaded", __FUNCTION__); return -EINVAL; } if ( dom->kernel_size < sizeof(struct setup_header) ) { xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, "%s: kernel image too small", __FUNCTION__);

[xen_CVE-2011-1583_1304949657_xc_dom_probe_bzimage_kernel.diff] xc_dom_probe_bzimage_kernel_OLD.c #2
return -EINVAL; } - dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); - dom->kernel_size = hdr->payload_length; - if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) + /* upcast to 64 bits to avoid overflow */ + /* setup_sects is u8 and so cannot overflow */ + payload_offset = (hdr->setup_sects + 1) * 512; + payload_offset += hdr->payload_offset; + payload_length = hdr->payload_length; + + if ( payload_offset >= dom->kernel_size ) + { + xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: payload offset overflow", + __FUNCTION__); + return -EINVAL; + } + if ( (payload_offset + payload_length) > dom->kernel_size ) + { + xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: payload length overflow", + __FUNCTION__); + return -EINVAL; + } + + dom->kernel_blob = dom->kernel_blob + payload_offset; + dom->kernel_size = payload_length; + + if ( check_magic(dom, "\037\213", 2) ) { ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret == -1 )
.\cloneFuncs\totalClone\Type-1\CVE-2011-1583_before_1mo_1299687576_xc_dom_probe_bzimage_kernel.c
23
24
25
26
27
28
29
30
31
32
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: kernel is not a bzImage", __FUNCTION__); return -EINVAL; } if ( hdr->version < VERSION(2,8) ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: boot protocol" " too old (%04x)", __FUNCTION__, hdr->version);
+ show +
33
34
35
36
37
38
39
40
41
42
return -EINVAL; } dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); dom->kernel_size = hdr->payload_length; if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) { ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret == -1 )
+ show +
43
44
45
46
47
48
49
50
51
52
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: unable to" " gzip decompress kernel", __FUNCTION__); return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) { ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
.\cloneFuncs\totalClone\Type-3\CVE-2011-1583_before_6mo_1282671779_xc_dom_probe_bzimage_kernel.c
23
24
25
26
27
28
29
30
31
32
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: kernel is not a bzImage", __FUNCTION__); return -EINVAL; } if ( hdr->version < VERSION(2,8) ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: boot protocol" " too old (%04x)", __FUNCTION__, hdr->version);
+ show +
33
34
35
36
37
38
39
40
41
42
return -EINVAL; } dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); dom->kernel_size = hdr->payload_length; if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) { ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret == -1 )
+ show +
43
44
45
46
47
48
49
50
51
52
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: unable to" " gzip decompress kernel", __FUNCTION__); return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) { ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )

[xen_CVE-2011-1583_1304949657_xc_dom_probe_bzimage_kernel.diff] xc_dom_probe_bzimage_kernel_OLD.c #3
return -EINVAL; } } - else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) + else if ( check_magic(dom, "\102\132\150", 3) ) { ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
.\cloneFuncs\totalClone\Type-1\CVE-2011-1583_before_1mo_1299687576_xc_dom_probe_bzimage_kernel.c
36
37
38
39
40
41
42
43
44
45
dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); dom->kernel_size = hdr->payload_length; if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) { ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret == -1 ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: unable to" " gzip decompress kernel", __FUNCTION__);
+ show +
46
47
48
49
50
51
52
return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) { ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
+ show +
53
54
55
56
57
58
59
60
61
62
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to BZIP2 decompress kernel", __FUNCTION__); return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\3757zXZ", 6) == 0 ) { ret = xc_try_xz_decode(dom, &dom->kernel_blob, &dom->kernel_size);
.\cloneFuncs\totalClone\Type-3\CVE-2011-1583_before_6mo_1282671779_xc_dom_probe_bzimage_kernel.c
36
37
38
39
40
41
42
43
44
45
dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); dom->kernel_size = hdr->payload_length; if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) { ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret == -1 ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: unable to" " gzip decompress kernel", __FUNCTION__);
+ show +
46
47
48
49
50
51
52
return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) { ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
+ show +
53
54
55
56
57
58
59
60
61
62
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to BZIP2 decompress kernel", __FUNCTION__); return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 ) { ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size);

[xen_CVE-2011-1583_1304949657_xc_dom_probe_bzimage_kernel.diff] xc_dom_probe_bzimage_kernel_OLD.c #4
return -EINVAL; } } - else if ( memcmp(dom->kernel_blob, "\3757zXZ", 6) == 0 ) + else if ( check_magic(dom, "\3757zXZ", 6) ) { ret = xc_try_xz_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
.\cloneFuncs\totalClone\Type-1\CVE-2011-1583_before_1mo_1299687576_xc_dom_probe_bzimage_kernel.c
47
48
49
50
51
52
53
54
55
56
} } else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) { ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to BZIP2 decompress kernel", __FUNCTION__);
+ show +
57
58
59
60
61
62
63
return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\3757zXZ", 6) == 0 ) { ret = xc_try_xz_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
+ show +
64
65
66
67
68
69
70
71
72
73
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to XZ decompress kernel", __FUNCTION__); return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 ) { ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size);

[xen_CVE-2011-1583_1304949657_xc_dom_probe_bzimage_kernel.diff] xc_dom_probe_bzimage_kernel_OLD.c #5
return -EINVAL; } } - else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 ) + else if ( check_magic(dom, "\135\000", 2) ) { ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
.\cloneFuncs\totalClone\Type-1\CVE-2011-1583_before_1mo_1299687576_xc_dom_probe_bzimage_kernel.c
58
59
60
61
62
63
64
65
66
67
} } else if ( memcmp(dom->kernel_blob, "\3757zXZ", 6) == 0 ) { ret = xc_try_xz_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to XZ decompress kernel", __FUNCTION__);
+ show +
68
69
70
71
72
73
74
return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 ) { ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
+ show +
75
76
77
78
79
80
81
82
83
84
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to LZMA decompress kernel", __FUNCTION__); return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\x89LZO", 5) == 0 ) { ret = xc_try_lzo1x_decode(dom, &dom->kernel_blob, &dom->kernel_size);
.\cloneFuncs\totalClone\Type-3\CVE-2011-1583_before_6mo_1282671779_xc_dom_probe_bzimage_kernel.c
47
48
49
50
51
52
53
54
55
56
} } else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) { ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to BZIP2 decompress kernel", __FUNCTION__);
+ show +
57
58
59
60
61
62
63
return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 ) { ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
+ show +
64
65
66
67
68
69
70
71
72
73
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to LZMA decompress kernel", __FUNCTION__); return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\x89LZO", 5) == 0 ) { ret = xc_try_lzo1x_decode(dom, &dom->kernel_blob, &dom->kernel_size);

[xen_CVE-2011-1583_1304949657_xc_dom_probe_bzimage_kernel.diff] xc_dom_probe_bzimage_kernel_OLD.c #6
return -EINVAL; } } - else if ( memcmp(dom->kernel_blob, "\x89LZO", 5) == 0 ) + else if ( check_magic(dom, "\x89LZO", 5) ) { ret = xc_try_lzo1x_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
.\cloneFuncs\totalClone\Type-1\CVE-2011-1583_before_1mo_1299687576_xc_dom_probe_bzimage_kernel.c
69
70
71
72
73
74
75
76
77
78
} } else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 ) { ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to LZMA decompress kernel", __FUNCTION__);
+ show +
79
80
81
82
83
84
85
return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\x89LZO", 5) == 0 ) { ret = xc_try_lzo1x_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
+ show +
86
87
88
89
90
91
92
93
94
95
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to LZO decompress kernel\n", __FUNCTION__); return -EINVAL; } } else { xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
.\cloneFuncs\totalClone\Type-3\CVE-2011-1583_before_6mo_1282671779_xc_dom_probe_bzimage_kernel.c
58
59
60
61
62
63
64
65
66
67
} } else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 ) { ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 ) { xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to LZMA decompress kernel", __FUNCTION__);
+ show +
68
69
70
71
72
73
74
return -EINVAL; } } else if ( memcmp(dom->kernel_blob, "\x89LZO", 5) == 0 ) { ret = xc_try_lzo1x_decode(dom, &dom->kernel_blob, &dom->kernel_size); if ( ret < 0 )
+ show +
75
76
77
78
79
80
81
82
83
84
{ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s unable to LZO decompress kernel\n", __FUNCTION__); return -EINVAL; } } else { xc_dom_panic(dom->xch, XC_INVALID_KERNEL,

[xen_CVE-2011-1583_1304949657__xc_try_lzma_decode.diff] _xc_try_lzma_decode_OLD.c #1
for ( ; ; ) { ret = lzma_code(stream, action); - if ( (stream->avail_out == 0) || (ret != LZMA_OK) ) + if ( ret == LZMA_STREAM_END ) { - tmp_buf = realloc(out_buf, outsize * 2); - if ( tmp_buf == NULL ) - { - DOMPRINTF("%s: Failed to realloc memory", what); - free(out_buf); - goto lzma_cleanup; - } - out_buf = tmp_buf; - - stream->next_out = out_buf + outsize; - stream->avail_out = (outsize * 2) - outsize; - outsize *= 2; + DOMPRINTF("%s: Saw data stream end", what); + retval = 0; + break; } - if ( ret != LZMA_OK ) { - if ( ret == LZMA_STREAM_END ) - { - DOMPRINTF("%s: Saw data stream end", what); - retval = 0; - break; - } - switch ( ret ) { case LZMA_MEM_ERROR:
.\cloneFuncs\totalClone\Type-1\CVE-2011-1583_before_imd_1299867653__xc_try_lzma_decode.c
21
22
23
24
25
26
27
28
29
30
DOMPRINTF("%s: Failed to alloc memory", what); goto lzma_cleanup; } stream->next_in = dom->kernel_blob; stream->avail_in = dom->kernel_size; stream->next_out = out_buf; stream->avail_out = dom->kernel_size;
+ show +
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
for ( ; ; ) { ret = lzma_code(stream, action); if ( (stream->avail_out == 0) || (ret != LZMA_OK) ) { tmp_buf = realloc(out_buf, outsize * 2); if ( tmp_buf == NULL ) { DOMPRINTF("%s: Failed to realloc memory", what); free(out_buf); goto lzma_cleanup; } out_buf = tmp_buf; stream->next_out = out_buf + outsize; stream->avail_out = (outsize * 2) - outsize; outsize *= 2; } if ( ret != LZMA_OK ) { if ( ret == LZMA_STREAM_END ) { DOMPRINTF("%s: Saw data stream end", what); retval = 0; break; } switch ( ret ) { case LZMA_MEM_ERROR:
+ show +
62
63
64
65
66
67
68
69
70
71
msg = strerror(ENOMEM); break; case LZMA_MEMLIMIT_ERROR: msg = "Memory usage limit reached"; break; case LZMA_FORMAT_ERROR: msg = "File format not recognized"; break;
.\cloneFuncs\totalClone\Type-3\CVE-2011-1583_before_1mo_1299687576__xc_try_lzma_decode.c
26
27
28
29
30
31
32
33
34
35
DOMPRINTF("%s: Failed to alloc memory", what); goto lzma_cleanup; } stream->next_in = dom->kernel_blob; stream->avail_in = dom->kernel_size; stream->next_out = out_buf; stream->avail_out = dom->kernel_size;
+ show +
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
for ( ; ; ) { ret = lzma_code(stream, action); if ( (stream->avail_out == 0) || (ret != LZMA_OK) ) { tmp_buf = realloc(out_buf, outsize * 2); if ( tmp_buf == NULL ) { DOMPRINTF("%s: Failed to realloc memory", what); free(out_buf); goto lzma_cleanup; } out_buf = tmp_buf; stream->next_out = out_buf + outsize; stream->avail_out = (outsize * 2) - outsize; outsize *= 2; } if ( ret != LZMA_OK ) { if ( ret == LZMA_STREAM_END ) { DOMPRINTF("%s: Saw data stream end", what); retval = 0; break; } switch ( ret ) { case LZMA_MEM_ERROR:
+ show +
67
68
69
70
71
72
73
74
75
76
msg = strerror(ENOMEM); break; case LZMA_MEMLIMIT_ERROR: msg = "Memory usage limit reached"; break; case LZMA_FORMAT_ERROR: msg = "File format not recognized"; break;

[xen_CVE-2011-1583_1304949657__xc_try_lzma_decode.diff] _xc_try_lzma_decode_OLD.c #2
} DOMPRINTF("%s: %s decompression error: %s", __FUNCTION__, what, msg); - break; + free(out_buf); + goto lzma_cleanup; + } + + if ( stream->avail_out == 0 ) + { + /* Protect against output buffer overflow */ + if ( outsize > INT_MAX / 2 ) + { + DOMPRINTF("%s: output buffer overflow", what); + free(out_buf); + goto lzma_cleanup; + } + + tmp_buf = realloc(out_buf, outsize * 2); + if ( tmp_buf == NULL ) + { + DOMPRINTF("%s: Failed to realloc memory", what); + free(out_buf); + goto lzma_cleanup; + } + out_buf = tmp_buf; + + stream->next_out = out_buf + outsize; + stream->avail_out = (outsize * 2) - outsize; + outsize *= 2; } }
.\cloneFuncs\totalClone\Type-1\CVE-2011-1583_before_imd_1299867653__xc_try_lzma_decode.c
79
80
81
82
83
84
85
86
87
88
msg = "File is corrupt"; break; case LZMA_BUF_ERROR: msg = "Unexpected end of input"; break; default: msg = "Internal program error (bug)"; break;
+ show +
89
90
91
92
93
94
} DOMPRINTF("%s: %s decompression error: %s", __FUNCTION__, what, msg); break; } }
+ show +
95
96
97
98
99
100
101
102
103
104
DOMPRINTF("%s: %s decompress OK, 0x%zx -> 0x%zx", __FUNCTION__, what, *size, (size_t)stream->total_out); *blob = out_buf; *size = stream->total_out; lzma_cleanup: lzma_end(stream);
.\cloneFuncs\totalClone\Type-3\CVE-2011-1583_before_1mo_1299687576__xc_try_lzma_decode.c
84
85
86
87
88
89
90
91
92
93
msg = "File is corrupt"; break; case LZMA_BUF_ERROR: msg = "Unexpected end of input"; break; default: msg = "Internal program error (bug)"; break;
+ show +
94
95
96
97
98
99
} DOMPRINTF("%s: %s decompression error: %s", __FUNCTION__, what, msg); break; } }
+ show +
100
101
102
103
104
105
106
107
108
109
DOMPRINTF("%s: %s decompress OK, 0x%zx -> 0x%zx", __FUNCTION__, what, *size, (size_t)stream->total_out); *blob = out_buf; *size = stream->total_out; lzma_cleanup: lzma_end(stream);

[xen_CVE-2011-1898_1305214920_init_vtd_hw.diff] init_vtd_hw_OLD.c #1
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic)); + if ( force_iommu ) + panic("intremap remapping failed to enable with iommu=required/force in grub\n"); break; } }
.\cloneFuncs\totalClone\Type-1\CVE-2011-1898_before_1mo_1301756167_init_vtd_hw.c
47
48
49
50
51
52
53
54
55
56
*/ if ( iommu_intremap ) { int apic; for ( apic = 0; apic < nr_ioapics; apic++ ) { if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL ) { iommu_intremap = 0; dprintk(XENLOG_ERR VTDPREFIX,
+ show +
57
58
59
60
61
62
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic)); break; } }
+ show +
63
64
65
66
67
68
69
70
71
72
} if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n");
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_1mo_1308150611_init_vtd_hw.c
47
48
49
50
51
52
53
54
55
56
*/ if ( iommu_intremap ) { int apic; for ( apic = 0; apic < nr_ioapics; apic++ ) { if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL ) { iommu_intremap = 0; dprintk(XENLOG_ERR VTDPREFIX,
+ show +
57
58
59
60
61
62
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic)); break; } }
+ show +
63
64
65
66
67
68
69
70
71
72
} if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { iommu_intremap = 0; dprintk(XENLOG_WARNING VTDPREFIX,
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_6mo_1321364861_init_vtd_hw.c
48
49
50
51
52
53
54
55
56
57
*/ if ( iommu_intremap ) { int apic; for ( apic = 0; apic < nr_ioapics; apic++ ) { if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL ) { iommu_intremap = 0; dprintk(XENLOG_ERR VTDPREFIX,
+ show +
58
59
60
61
62
63
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic)); break; } }
+ show +
64
65
66
67
68
69
70
71
72
73
} if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { iommu_intremap = 0; dprintk(XENLOG_WARNING VTDPREFIX,
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_before_6mo_1288772331_init_vtd_hw.c
49
50
51
52
53
54
55
56
57
58
if ( iommu_intremap ) { int apic; for ( apic = 0; apic < nr_ioapics; apic++ ) { if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL ) { iommu_intremap = 0; dprintk(XENLOG_ERR VTDPREFIX,
+ show +
59
60
61
62
63
64
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! " "Will not try to enable Interrupt Remapping.\n", apic, IO_APIC_ID(apic)); break; } }
+ show +
65
66
67
68
69
70
71
72
73
74
} if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 ) { dprintk(XENLOG_WARNING VTDPREFIX,

[xen_CVE-2011-1898_1305214920_init_vtd_hw.diff] init_vtd_hw_OLD.c #2
{ dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n"); + + if ( force_iommu && platform_supports_intremap() ) + panic("intremap remapping failed to enable with iommu=required/force in grub\n"); break; } }
.\cloneFuncs\totalClone\Type-1\CVE-2011-1898_before_1mo_1301756167_init_vtd_hw.c
60
61
62
63
64
65
66
67
68
69
break; } } } if ( iommu_intremap ) { for_each_drhd_unit ( drhd ) { iommu = drhd->iommu; if ( enable_intremap(iommu, 0) != 0 )
+ show +
70
71
72
73
74
75
{ dprintk(XENLOG_WARNING VTDPREFIX, "Interrupt Remapping not enabled\n"); break; } }
+ show +
76
77
78
79
80
81
82
83
84
85
} /* * Set root entries for each VT-d engine. After set root entry, * must globally invalidate context cache, and then globally * invalidate IOTLB */ for_each_drhd_unit ( drhd ) { iommu = drhd->iommu;

[qemu_CVE-2011-2212_1308566547_virtqueue_pop.diff] virtqueue_pop_OLD.c #1
struct iovec *sg; if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) { + if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) { + error_report("Too many write descriptors in indirect table"); + exit(1); + } elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i); sg = &elem->in_sg[elem->in_num++]; } else { + if (elem->out_num >= ARRAY_SIZE(elem->out_sg)) { + error_report("Too many read descriptors in indirect table"); + exit(1); + } elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i); sg = &elem->out_sg[elem->out_num++]; }
.\cloneFuncs\totalClone\Type-1\CVE-2011-2212_before_imd_1308744234_virtqueue_pop.c
23
24
25
26
27
28
29
30
31
32
} /* loop over the indirect descriptor table */ max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); desc_pa = vring_desc_addr(desc_pa, i); i = 0; } /* Collect all the descriptors */ do {
+ show +
33
34
35
36
37
38
39
40
41
struct iovec *sg; if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) { elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i); sg = &elem->in_sg[elem->in_num++]; } else { elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i); sg = &elem->out_sg[elem->out_num++]; }
+ show +
42
43
44
45
46
47
48
49
50
51
sg->iov_len = vring_desc_len(desc_pa, i); /* If we've got too many, that implies a descriptor loop. */ if ((elem->in_num + elem->out_num) > max) { error_report("Looped descriptor"); exit(1); } } while ((i = virtqueue_next_desc(desc_pa, i, max)) != max);
.\cloneFuncs\totalClone\Type-3\CVE-2011-2212_before_1mo_1301235149_virtqueue_pop.c
20
21
22
23
24
25
26
27
28
29
} /* loop over the indirect descriptor table */ max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); desc_pa = vring_desc_addr(desc_pa, i); i = 0; } /* Collect all the descriptors */ do {
+ show +
30
31
32
33
34
35
36
37
38
struct iovec *sg; if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) { elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i); sg = &elem->in_sg[elem->in_num++]; } else { elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i); sg = &elem->out_sg[elem->out_num++]; }
+ show +
39
40
41
42
43
44
45
46
47
48
sg->iov_len = vring_desc_len(desc_pa, i); /* If we've got too many, that implies a descriptor loop. */ if ((elem->in_num + elem->out_num) > max) { error_report("Looped descriptor"); exit(1); } } while ((i = virtqueue_next_desc(desc_pa, i, max)) != max);

[openssl_CVE-2011-3207_1315322109_check_cert.diff] check_cert_OLD.c #1
x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; ctx->current_issuer = NULL; + ctx->current_crl_score = 0; ctx->current_reasons = 0; while (ctx->current_reasons != CRLDP_ALL_REASONS) {
.\cloneFuncs\totalClone\Type-1\CVE-2011-3207_before_1mo_1288713538_check_cert.c
1
2
3
4
5
6
static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; cnum = ctx->error_depth;
+ show +
7
8
9
10
11
12
x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; ctx->current_issuer = NULL; ctx->current_reasons = 0; while (ctx->current_reasons != CRLDP_ALL_REASONS) {
+ show +
13
14
15
16
17
18
19
20
21
22
/* Try to retrieve relevant CRL */ if (ctx->get_crl) ok = ctx->get_crl(ctx, &crl, x); else ok = get_crl_delta(ctx, &crl, &dcrl, x); /* If error looking up CRL, nothing we can do except * notify callback */ if(!ok) {

[linux_CVE-2011-3353_1397802064_recover_inode_page.diff] recover_inode_page_OLD.c #1
struct node_info old_ni, new_ni; struct page *ipage; + get_node_info(sbi, ino, &old_ni); + + if (unlikely(old_ni.blk_addr != NULL_ADDR)) + return -EINVAL; + ipage = grab_cache_page(NODE_MAPPING(sbi), ino); if (!ipage) return -ENOMEM;
.\cloneFuncs\totalClone\Type-1\CVE-2011-3353_before_imd_1397787277_recover_inode_page.c
1
2
3
4
int recover_inode_page(struct f2fs_sb_info *sbi, struct page *page) { struct f2fs_inode *src, *dst; nid_t ino = ino_of_node(page);
+ show +
5
6
7
8
9
10
struct node_info old_ni, new_ni; struct page *ipage; ipage = grab_cache_page(NODE_MAPPING(sbi), ino); if (!ipage) return -ENOMEM;
+ show +
11
12
13
14
15
16
17
18
19
20
/* Should not use this inode from free nid list */ remove_free_nid(NM_I(sbi), ino); get_node_info(sbi, ino, &old_ni); SetPageUptodate(ipage); fill_node_footer(ipage, ino, ino, 0, true); src = F2FS_INODE(page); dst = F2FS_INODE(ipage);
.\cloneFuncs\totalClone\Type-2\CVE-2011-3353_before_1mo_1395118031_recover_inode_page.c
1
2
3
4
int recover_inode_page(struct f2fs_sb_info *sbi, struct page *page) { struct f2fs_inode *src, *dst; nid_t ino = ino_of_node(page);
+ show +
5
6
7
8
9
10
struct node_info old_ni, new_ni; struct page *ipage; ipage = grab_cache_page(NODE_MAPPING(sbi), ino); if (!ipage) return -ENOMEM;
+ show +
11
12
13
14
15
16
17
18
19
20
/* Should not use this inode from free nid list */ remove_free_nid(NM_I(sbi), ino); get_node_info(sbi, ino, &old_ni); SetPageUptodate(ipage); fill_node_footer(ipage, ino, ino, 0, true); src = F2FS_INODE(page); dst = F2FS_INODE(ipage);

[linux_CVE-2011-3353_1397802064_recover_inode_page.diff] recover_inode_page_OLD.c #2
/* Should not use this inode from free nid list */ remove_free_nid(NM_I(sbi), ino); - get_node_info(sbi, ino, &old_ni); SetPageUptodate(ipage); fill_node_footer(ipage, ino, ino, 0, true);
.\cloneFuncs\totalClone\Type-1\CVE-2011-3353_before_imd_1397787277_recover_inode_page.c
2
3
4
5
6
7
8
9
10
11
{ struct f2fs_inode *src, *dst; nid_t ino = ino_of_node(page); struct node_info old_ni, new_ni; struct page *ipage; ipage = grab_cache_page(NODE_MAPPING(sbi), ino); if (!ipage) return -ENOMEM;
+ show +
12
13
14
15
16
17
/* Should not use this inode from free nid list */ remove_free_nid(NM_I(sbi), ino); get_node_info(sbi, ino, &old_ni); SetPageUptodate(ipage); fill_node_footer(ipage, ino, ino, 0, true);
+ show +
18
19
20
21
22
23
24
25
26
27
src = F2FS_INODE(page); dst = F2FS_INODE(ipage); memcpy(dst, src, (unsigned long)&src->i_ext - (unsigned long)src); dst->i_size = 0; dst->i_blocks = cpu_to_le64(1); dst->i_links = cpu_to_le32(1); dst->i_xattr_nid = 0;
.\cloneFuncs\totalClone\Type-2\CVE-2011-3353_before_1mo_1395118031_recover_inode_page.c
2
3
4
5
6
7
8
9
10
11
{ struct f2fs_inode *src, *dst; nid_t ino = ino_of_node(page); struct node_info old_ni, new_ni; struct page *ipage; ipage = grab_cache_page(NODE_MAPPING(sbi), ino); if (!ipage) return -ENOMEM;
+ show +
12
13
14
15
16
17
/* Should not use this inode from free nid list */ remove_free_nid(NM_I(sbi), ino); get_node_info(sbi, ino, &old_ni); SetPageUptodate(ipage); fill_node_footer(ipage, ino, ino, 0, true);
+ show +
18
19
20
21
22
23
24
25
26
27
src = F2FS_INODE(page); dst = F2FS_INODE(ipage); memcpy(dst, src, (unsigned long)&src->i_ext - (unsigned long)src); dst->i_size = 0; dst->i_blocks = cpu_to_le64(1); dst->i_links = cpu_to_le32(1); dst->i_xattr_nid = 0;
.\cloneFuncs\totalClone\Type-4\CVE-2011-3353_before_6mo_1381903766_recover_inode_page.c
3
4
5
6
7
8
9
10
11
12
struct address_space *mapping = sbi->node_inode->i_mapping; struct f2fs_node *src, *dst; nid_t ino = ino_of_node(page); struct node_info old_ni, new_ni; struct page *ipage; ipage = grab_cache_page(mapping, ino); if (!ipage) return -ENOMEM;
+ show +
13
14
15
16
17
18
/* Should not use this inode from free nid list */ remove_free_nid(NM_I(sbi), ino); get_node_info(sbi, ino, &old_ni); SetPageUptodate(ipage); fill_node_footer(ipage, ino, ino, 0, true);
+ show +
19
20
21
22
23
24
25
26
27
28
src = F2FS_NODE(page); dst = F2FS_NODE(ipage); memcpy(dst, src, (unsigned long)&src->i.i_ext - (unsigned long)&src->i); dst->i.i_size = 0; dst->i.i_blocks = cpu_to_le64(1); dst->i.i_links = cpu_to_le32(1); dst->i.i_xattr_nid = 0;

[ffmpeg_CVE-2011-3893_1325795141_vorbis_residue_decode_internal.diff] vorbis_residue_decode_internal_OLD.c #1
uint8_t *do_not_decode, float *vec, unsigned vlen, + unsigned ch_left, int vr_type) { GetBitContext *gb = &vc->gb;
.\cloneFuncs\totalClone\Type-1\CVE-2011-3893_before_1mo_1315325865_vorbis_residue_decode_internal.c
1
2
3
static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, vorbis_residue *vr, unsigned ch,
+ show +
4
5
6
7
8
9
uint8_t *do_not_decode, float *vec, unsigned vlen, int vr_type) { GetBitContext *gb = &vc->gb;
+ show +
10
11
12
13
14
15
16
17
18
19
unsigned c_p_c = vc->codebooks[vr->classbook].dimensions; unsigned ptns_to_read = vr->ptns_to_read; uint8_t *classifs = vr->classifs; unsigned pass, ch_used, i, j, k, l; if (vr_type == 2) { for (j = 1; j < ch; ++j) do_not_decode[0] &= do_not_decode[j]; // FIXME - clobbering input if (do_not_decode[0]) return 0;

[ffmpeg_CVE-2011-3893_1325795141_vorbis_residue_decode_internal.diff] vorbis_residue_decode_internal_OLD.c #2
unsigned ptns_to_read = vr->ptns_to_read; uint8_t *classifs = vr->classifs; unsigned pass, ch_used, i, j, k, l; + unsigned max_output = (ch - 1) * vlen; if (vr_type == 2) { for (j = 1; j < ch; ++j)
.\cloneFuncs\totalClone\Type-1\CVE-2011-3893_before_1mo_1315325865_vorbis_residue_decode_internal.c
1
2
3
4
5
6
7
8
9
10
static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, vorbis_residue *vr, unsigned ch, uint8_t *do_not_decode, float *vec, unsigned vlen, int vr_type) { GetBitContext *gb = &vc->gb; unsigned c_p_c = vc->codebooks[vr->classbook].dimensions;
+ show +
11
12
13
14
15
16
unsigned ptns_to_read = vr->ptns_to_read; uint8_t *classifs = vr->classifs; unsigned pass, ch_used, i, j, k, l; if (vr_type == 2) { for (j = 1; j < ch; ++j)
+ show +
17
18
19
20
21
22
23
24
25
26
do_not_decode[0] &= do_not_decode[j]; // FIXME - clobbering input if (do_not_decode[0]) return 0; ch_used = 1; } else { ch_used = ch; } av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);

[ffmpeg_CVE-2011-3893_1325795141_vorbis_residue_decode_internal.diff] vorbis_residue_decode_internal_OLD.c #3
if (do_not_decode[0]) return 0; ch_used = 1; + max_output += vr->end / ch; } else { ch_used = ch; + max_output += vr->end; + } + + if (max_output > ch_left * vlen) { + av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n"); + return -1; } av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
.\cloneFuncs\totalClone\Type-1\CVE-2011-3893_before_1mo_1315325865_vorbis_residue_decode_internal.c
8
9
10
11
12
13
14
15
16
17
{ GetBitContext *gb = &vc->gb; unsigned c_p_c = vc->codebooks[vr->classbook].dimensions; unsigned ptns_to_read = vr->ptns_to_read; uint8_t *classifs = vr->classifs; unsigned pass, ch_used, i, j, k, l; if (vr_type == 2) { for (j = 1; j < ch; ++j) do_not_decode[0] &= do_not_decode[j]; // FIXME - clobbering input
+ show +
18
19
20
21
22
23
24
25
if (do_not_decode[0]) return 0; ch_used = 1; } else { ch_used = ch; } av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
+ show +
26
27
28
29
30
31
32
33
34
35
for (pass = 0; pass <= vr->maxpass; ++pass) { // FIXME OPTIMIZE? uint16_t voffset, partition_count, j_times_ptns_to_read; voffset = vr->begin; for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error if (!pass) { unsigned inverse_class = ff_inverse[vr->classifications]; for (j_times_ptns_to_read = 0, j = 0; j < ch_used; ++j) { if (!do_not_decode[j]) {

[ffmpeg_CVE-2011-3895_1325796018_vorbis_parse_setup_hdr_residues.diff] vorbis_parse_setup_hdr_residues_OLD.c #1
res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || - res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 || + res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 || (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n",
.\cloneFuncs\totalClone\Type-1\CVE-2011-3895_before_1mo_1315325865_vorbis_parse_setup_hdr_residues.c
12
13
14
15
16
17
18
19
20
21
vorbis_residue *res_setup = &vc->residues[i]; uint8_t cascade[64]; unsigned high_bits, low_bits; res_setup->type = get_bits(gb, 16); av_dlog(NULL, " %u. residue type %d\n", i, res_setup->type); res_setup->begin = get_bits(gb, 24); res_setup->end = get_bits(gb, 24);
+ show +
22
23
24
25
26
27
28
res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 || (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n",
+ show +
29
30
31
32
33
34
35
36
37
38
res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2); return AVERROR_INVALIDDATA; } res_setup->classifications = get_bits(gb, 6) + 1; GET_VALIDATED_INDEX(res_setup->classbook, 8, vc->codebook_count) res_setup->ptns_to_read = (res_setup->end - res_setup->begin) / res_setup->partition_size;
.\cloneFuncs\totalClone\Type-2\CVE-2011-3895_before_6mo_1307468422_vorbis_parse_setup_hdr_residues.c
12
13
14
15
16
17
18
19
20
21
vorbis_residue *res_setup = &vc->residues[i]; uint8_t cascade[64]; unsigned high_bits, low_bits; res_setup->type = get_bits(gb, 16); av_dlog(NULL, " %u. residue type %d\n", i, res_setup->type); res_setup->begin = get_bits(gb, 24); res_setup->end = get_bits(gb, 24);
+ show +
22
23
24
25
26
27
28
res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 || (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n",
+ show +
29
30
31
32
33
34
35
36
37
38
res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2); return -1; } res_setup->classifications = get_bits(gb, 6) + 1; GET_VALIDATED_INDEX(res_setup->classbook, 8, vc->codebook_count) res_setup->ptns_to_read = (res_setup->end - res_setup->begin) / res_setup->partition_size;

[ffmpeg_CVE-2011-3929_1327619306_dv_extract_audio.diff] dv_extract_audio_OLD.c #1
/* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0; - pcm = ppcm[ipcm++]; /* for each DIF channel */ for (chan = 0; chan < sys->n_difchan; chan++) { + /* next stereo channel (50Mbps and 100Mbps only) */ + pcm = ppcm[ipcm++]; + if (!pcm) + break; + /* for each DIF segment */ for (i = 0; i < sys->difseg_size; i++) { frame += 6 * 80; /* skip DIF segment header */
.\cloneFuncs\totalClone\Type-1\CVE-2011-3929_before_1mo_1322591295_dv_extract_audio.c
13
14
15
16
17
18
19
20
21
22
smpls = as_pack[1] & 0x3f; /* samples in this frame - min. samples */ freq = (as_pack[4] >> 3) & 0x07; /* 0 - 48kHz, 1 - 44,1kHz, 2 - 32kHz */ quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ if (quant > 1) return -1; /* unsupported quantization */ size = (sys->audio_min_samples[freq] + smpls) * 4; /* 2ch, 2bytes */ half_ch = sys->difseg_size / 2;
+ show +
23
24
25
26
27
28
29
30
31
32
/* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0; pcm = ppcm[ipcm++]; /* for each DIF channel */ for (chan = 0; chan < sys->n_difchan; chan++) { /* for each DIF segment */ for (i = 0; i < sys->difseg_size; i++) { frame += 6 * 80; /* skip DIF segment header */
+ show +
33
34
35
36
37
38
39
40
41
42
if (quant == 1 && i == half_ch) { /* next stereo channel (12bit mode only) */ pcm = ppcm[ipcm++]; if (!pcm) break; } /* for each AV sequence */ for (j = 0; j < 9; j++) { for (d = 8; d < 80; d += 2) {

[ffmpeg_CVE-2011-3934_1327522229_vp3_update_thread_context.diff] vp3_update_thread_context_OLD.c #1
||s->width != s1->width ||s->height!= s1->height) { if (s != s1) - copy_fields(s, s1, golden_frame, current_frame); + copy_fields(s, s1, golden_frame, keyframe); return -1; }
.\cloneFuncs\totalClone\Type-1\CVE-2011-3934_before_1mo_1324683902_vp3_update_thread_context.c
1
2
3
4
5
6
7
8
static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *src) { Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data; int qps_changed = 0, i, err; #define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) if (!s1->current_frame.data[0]
+ show +
9
10
11
12
13
14
||s->width != s1->width ||s->height!= s1->height) { if (s != s1) copy_fields(s, s1, golden_frame, current_frame); return -1; }
+ show +
15
16
17
18
19
20
21
22
23
24
if (s != s1) { // init tables if the first frame hasn't been decoded if (!s->current_frame.data[0]) { int y_fragment_count, c_fragment_count; s->avctx = dst; err = allocate_tables(dst); if (err) return err; y_fragment_count = s->fragment_width[0] * s->fragment_height[0];

[ffmpeg_CVE-2011-3935_1327469525_codec_get_buffer.diff] codec_get_buffer_OLD.c #1
FrameBuffer *buf; int ret, i; + if(av_image_check_size(s->width, s->height, 0, s)) + return -1; + if (!ist->buffer_pool && (ret = alloc_buffer(s, ist, &ist->buffer_pool)) < 0) return ret;
.\cloneFuncs\totalClone\Type-1\CVE-2011-3935_before_imd_1327364943_codec_get_buffer.c
1
2
3
static int codec_get_buffer(AVCodecContext *s, AVFrame *frame) { InputStream *ist = s->opaque;
+ show +
4
5
6
7
8
FrameBuffer *buf; int ret, i; if (!ist->buffer_pool && (ret = alloc_buffer(s, ist, &ist->buffer_pool)) < 0) return ret;
+ show +
9
10
11
12
13
14
15
16
17
18
buf = ist->buffer_pool; ist->buffer_pool = buf->next; buf->next = NULL; if (buf->w != s->width || buf->h != s->height || buf->pix_fmt != s->pix_fmt) { av_freep(&buf->base[0]); av_free(buf); ist->dr1 = 0; if ((ret = alloc_buffer(s, ist, &buf)) < 0) return ret;

[ffmpeg_CVE-2011-3941_1327434867_decode_mb.diff] decode_mb_OLD.c #1
s->dest[1] = s->current_picture.f.data[1] + (s->mb_y * (16 >> s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16 >> s->chroma_x_shift); s->dest[2] = s->current_picture.f.data[2] + (s->mb_y * (16 >> s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16 >> s->chroma_x_shift); + ff_init_block_index(s); + ff_update_block_index(s); + if (CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264) { H264Context *h = (void*)s; h->mb_xy = s->mb_x + s->mb_y * s->mb_stride;
.\cloneFuncs\totalClone\Type-1\CVE-2011-3941_before_imd_1326932378_decode_mb.c
1
2
3
static void decode_mb(MpegEncContext *s, int ref) { s->dest[0] = s->current_picture.f.data[0] + (s->mb_y * 16 * s->linesize) + s->mb_x * 16;
+ show +
4
5
6
7
8
9
s->dest[1] = s->current_picture.f.data[1] + (s->mb_y * (16 >> s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16 >> s->chroma_x_shift); s->dest[2] = s->current_picture.f.data[2] + (s->mb_y * (16 >> s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16 >> s->chroma_x_shift); if (CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264) { H264Context *h = (void*)s; h->mb_xy = s->mb_x + s->mb_y * s->mb_stride;
+ show +
10
11
12
13
14
15
16
17
18
19
memset(h->non_zero_count_cache, 0, sizeof(h->non_zero_count_cache)); assert(ref >= 0); /* FIXME: It is possible albeit uncommon that slice references * differ between slices. We take the easy approach and ignore * it for now. If this turns out to have any relevance in * practice then correct remapping should be added. */ if (ref >= h->ref_count[0]) ref = 0; fill_rectangle(&s->current_picture.f.ref_index[0][4 * h->mb_xy], 2, 2, 2, ref, 1);
.\cloneFuncs\totalClone\Type-4\CVE-2011-3941_before_1mo_1324509879_decode_mb.c
1
2
static void decode_mb(MpegEncContext *s, int ref){ s->dest[0] = s->current_picture.f.data[0] + (s->mb_y * 16 * s->linesize) + s->mb_x * 16;
+ show +
3
4
5
6
7
8
s->dest[1] = s->current_picture.f.data[1] + (s->mb_y * (16 >> s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16 >> s->chroma_x_shift); s->dest[2] = s->current_picture.f.data[2] + (s->mb_y * (16 >> s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16 >> s->chroma_x_shift); if(CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264){ H264Context *h= (void*)s; h->mb_xy= s->mb_x + s->mb_y*s->mb_stride;
+ show +
9
10
11
12
13
14
15
16
17
18
memset(h->non_zero_count_cache, 0, sizeof(h->non_zero_count_cache)); assert(ref>=0); if(ref >= h->ref_count[0]) //FIXME it is posible albeit uncommon that slice references differ between slices, we take the easy approuch and ignore it for now. If this turns out to have any relevance in practice then correct remapping should be added ref=0; fill_rectangle(&s->current_picture.f.ref_index[0][4*h->mb_xy], 2, 2, 2, ref, 1); fill_rectangle(&h->ref_cache[0][scan8[0]], 4, 4, 8, ref, 1); fill_rectangle(h->mv_cache[0][ scan8[0] ], 4, 4, 8, pack16to32(s->mv[0][0][0],s->mv[0][0][1]), 4); assert(!FRAME_MBAFF); ff_h264_hl_decode_mb(h); }else{

[ffmpeg_CVE-2011-3944_1327526937_smacker_decode_header_tree.diff] smacker_decode_header_tree_OLD.c #1
if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; if(ctx.last[2] == -1) ctx.last[2] = huff.current++; + if(huff.current > huff.length){ + ctx.last[0] = ctx.last[1] = ctx.last[2] = 1; + av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n"); + return -1; + } *recodes = huff.values;
.\cloneFuncs\totalClone\Type-1\CVE-2011-3944_before_1mo_1324568011_smacker_decode_header_tree.c
74
75
76
77
78
79
80
81
82
83
ctx.recode2 = tmp2.values; ctx.last = last; huff.length = ((size + 3) >> 2) + 3; huff.maxlength = 0; huff.current = 0; huff.values = av_mallocz(huff.length * sizeof(int)); smacker_decode_bigtree(gb, &huff, &ctx); skip_bits1(gb);
+ show +
84
85
86
87
88
if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; if(ctx.last[2] == -1) ctx.last[2] = huff.current++; *recodes = huff.values;
+ show +
89
90
91
92
93
94
95
96
97
98
if(vlc[0].table) free_vlc(&vlc[0]); if(vlc[1].table) free_vlc(&vlc[1]); av_free(tmp1.bits); av_free(tmp1.lengths); av_free(tmp1.values); av_free(tmp2.bits); av_free(tmp2.lengths);

[ffmpeg_CVE-2011-3945_1327530215_decode_frame.diff] decode_frame_OLD.c #1
const uint8_t *buf = avpkt->data; const uint8_t *buf_end = buf + avpkt->size; KgvContext * const c = avctx->priv_data; - int offsets[7]; + int offsets[8]; uint16_t *out, *prev; int outcnt = 0, maxcnt; int w, h, i;
.\cloneFuncs\totalClone\Type-1\CVE-2011-3945_before_1mo_1311152148_decode_frame.c
1
2
static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) {
+ show +
3
4
5
6
7
8
9
const uint8_t *buf = avpkt->data; const uint8_t *buf_end = buf + avpkt->size; KgvContext * const c = avctx->priv_data; int offsets[7]; uint16_t *out, *prev; int outcnt = 0, maxcnt; int w, h, i;
+ show +
10
11
12
13
14
15
16
17
18
19
if (avpkt->size < 2) return -1; w = (buf[0] + 1) * 8; h = (buf[1] + 1) * 8; buf += 2; if (av_image_check_size(w, h, 0, avctx)) return -1;

[ffmpeg_CVE-2011-3945_1327530215_decode_frame.diff] decode_frame_OLD.c #2
return -1; c->prev = prev; - for (i = 0; i < 7; i++) + for (i = 0; i < 8; i++) offsets[i] = -1; while (outcnt < maxcnt && buf_end - 2 > buf) {
.\cloneFuncs\totalClone\Type-1\CVE-2011-3945_before_1mo_1311152148_decode_frame.c
23
24
25
26
27
28
29
30
31
32
maxcnt = w * h; out = av_realloc(c->cur, w * h * 2); if (!out) return -1; c->cur = out; prev = av_realloc(c->prev, w * h * 2); if (!prev)
+ show +
33
34
35
36
37
38
39
return -1; c->prev = prev; for (i = 0; i < 7; i++) offsets[i] = -1; while (outcnt < maxcnt && buf_end - 2 > buf) {
+ show +
40
41
42
43
44
45
46
47
48
49
int code = AV_RL16(buf); buf += 2; if (!(code & 0x8000)) { out[outcnt++] = code; // rgb555 pixel coded directly } else { int count; uint16_t *inp; if ((code & 0x6000) == 0x6000) {

[ffmpeg_CVE-2011-3946_1406745216_ff_h264_decode_sei.diff] ff_h264_decode_sei_OLD.c #1
int size = 0; int type = 0; int ret = 0; + int last = 0; - do - type += show_bits(&h->gb, 8); - while (get_bits(&h->gb, 8) == 255); + while (get_bits_left(&h->gb) >= 8 && + (last = get_bits(&h->gb, 8)) == 255) { + type += 255; + } + type += last; - do - size += show_bits(&h->gb, 8); - while (get_bits(&h->gb, 8) == 255); + last = 0; + while (get_bits_left(&h->gb) >= 8 && + (last = get_bits(&h->gb, 8)) == 255) { + size += 255; + } + size += last; if (size > get_bits_left(&h->gb) / 8) { av_log(h->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
.\cloneFuncs\totalClone\Type-1\CVE-2011-3946_before_imd_1404316699_ff_h264_decode_sei.c
1
2
3
int ff_h264_decode_sei(H264Context *h) { while (get_bits_left(&h->gb) > 16) {
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int size = 0; int type = 0; int ret = 0; do type += show_bits(&h->gb, 8); while (get_bits(&h->gb, 8) == 255); do size += show_bits(&h->gb, 8); while (get_bits(&h->gb, 8) == 255); if (size > get_bits_left(&h->gb) / 8) { av_log(h->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
+ show +
18
19
20
21
22
23
24
25
26
27
type, get_bits_left(&h->gb)); return AVERROR_INVALIDDATA; } switch (type) { case SEI_TYPE_PIC_TIMING: // Picture timing SEI ret = decode_picture_timing(h); if (ret < 0) return ret; break;
.\cloneFuncs\totalClone\Type-3\CVE-2011-3946_before_1mo_1392282063_ff_h264_decode_sei.c
1
2
3
int ff_h264_decode_sei(H264Context *h) { while (get_bits_left(&h->gb) > 16) {
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int size = 0; int type = 0; int ret = 0; do type += show_bits(&h->gb, 8); while (get_bits(&h->gb, 8) == 255); do size += show_bits(&h->gb, 8); while (get_bits(&h->gb, 8) == 255); if (size > get_bits_left(&h->gb) / 8) { av_log(h->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
+ show +
18
19
20
21
22
23
24
25
26
27
type, get_bits_left(&h->gb)); return AVERROR_INVALIDDATA; } switch (type) { case SEI_TYPE_PIC_TIMING: // Picture timing SEI ret = decode_picture_timing(h); if (ret < 0) return ret; break;
.\cloneFuncs\totalClone\Type-3\CVE-2011-3946_before_6mo_1386954779_ff_h264_decode_sei.c
1
2
3
int ff_h264_decode_sei(H264Context *h) { while (get_bits_left(&h->gb) > 16) {
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int size = 0; int type = 0; int ret = 0; do type += show_bits(&h->gb, 8); while (get_bits(&h->gb, 8) == 255); do size += show_bits(&h->gb, 8); while (get_bits(&h->gb, 8) == 255); if (size > get_bits_left(&h->gb) / 8) { av_log(h->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
+ show +
18
19
20
21
22
23
24
25
26
27
type, get_bits_left(&h->gb)); return AVERROR_INVALIDDATA; } switch (type) { case SEI_TYPE_PIC_TIMING: // Picture timing SEI ret = decode_picture_timing(h); if (ret < 0) return ret; break;

[ffmpeg_CVE-2011-3949_1327588903_dirac_unpack_idwt_params.diff] dirac_unpack_idwt_params_OLD.c #1
{ GetBitContext *gb = &s->gb; int i, level; + unsigned tmp; + +#define CHECKEDREAD(dst, cond, errmsg) \ + tmp = svq3_get_ue_golomb(gb); \ + if (cond) { \ + av_log(s->avctx, AV_LOG_ERROR, errmsg); \ + return -1; \ + }\ + dst = tmp; align_get_bits(gb);
.\cloneFuncs\totalClone\Type-1\CVE-2011-3949_before_1mo_1321290073_dirac_unpack_idwt_params.c
1
static int dirac_unpack_idwt_params(DiracContext *s)
+ show +
2
3
4
5
6
{ GetBitContext *gb = &s->gb; int i, level; align_get_bits(gb);
+ show +
7
8
9
10
11
12
13
14
15
16
s->zero_res = s->num_refs ? get_bits1(gb) : 0; if (s->zero_res) return 0; /*[DIRAC_STD] 11.3.1 Transform parameters. transform_parameters() */ s->wavelet_idx = svq3_get_ue_golomb(gb); if (s->wavelet_idx > 6) return -1;

[ffmpeg_CVE-2011-3949_1327588903_dirac_unpack_idwt_params.diff] dirac_unpack_idwt_params_OLD.c #2
return 0; /*[DIRAC_STD] 11.3.1 Transform parameters. transform_parameters() */ - s->wavelet_idx = svq3_get_ue_golomb(gb); - if (s->wavelet_idx > 6) - return -1; - - s->wavelet_depth = svq3_get_ue_golomb(gb); - if (s->wavelet_depth > MAX_DWT_LEVELS) { - av_log(s->avctx, AV_LOG_ERROR, "too many dwt decompositions\n"); - return -1; - } + CHECKEDREAD(s->wavelet_idx, tmp > 6, "wavelet_idx is too big\n") + + CHECKEDREAD(s->wavelet_depth, tmp > MAX_DWT_LEVELS || tmp < 1, "invalid number of DWT decompositions\n") if (!s->low_delay) { /* Codeblock paramaters (core syntax only) */ if (get_bits1(gb)) { for (i = 0; i <= s->wavelet_depth; i++) { - s->codeblock[i].width = svq3_get_ue_golomb(gb); - s->codeblock[i].height = svq3_get_ue_golomb(gb); + CHECKEDREAD(s->codeblock[i].width , tmp < 1, "codeblock width invalid\n") + CHECKEDREAD(s->codeblock[i].height, tmp < 1, "codeblock height invalid\n") } - s->codeblock_mode = svq3_get_ue_golomb(gb); - if (s->codeblock_mode > 1) { - av_log(s->avctx, AV_LOG_ERROR, "unknown codeblock mode\n"); - return -1; - } + CHECKEDREAD(s->codeblock_mode, tmp > 1, "unknown codeblock mode\n") } else for (i = 0; i <= s->wavelet_depth; i++) s->codeblock[i].width = s->codeblock[i].height = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2011-3949_before_1mo_1321290073_dirac_unpack_idwt_params.c
1
2
3
4
5
6
7
8
9
static int dirac_unpack_idwt_params(DiracContext *s) { GetBitContext *gb = &s->gb; int i, level; align_get_bits(gb); s->zero_res = s->num_refs ? get_bits1(gb) : 0; if (s->zero_res)
+ show +
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
return 0; /*[DIRAC_STD] 11.3.1 Transform parameters. transform_parameters() */ s->wavelet_idx = svq3_get_ue_golomb(gb); if (s->wavelet_idx > 6) return -1; s->wavelet_depth = svq3_get_ue_golomb(gb); if (s->wavelet_depth > MAX_DWT_LEVELS) { av_log(s->avctx, AV_LOG_ERROR, "too many dwt decompositions\n"); return -1; } if (!s->low_delay) { /* Codeblock paramaters (core syntax only) */ if (get_bits1(gb)) { for (i = 0; i <= s->wavelet_depth; i++) { s->codeblock[i].width = svq3_get_ue_golomb(gb); s->codeblock[i].height = svq3_get_ue_golomb(gb); } s->codeblock_mode = svq3_get_ue_golomb(gb); if (s->codeblock_mode > 1) { av_log(s->avctx, AV_LOG_ERROR, "unknown codeblock mode\n"); return -1; } } else for (i = 0; i <= s->wavelet_depth; i++) s->codeblock[i].width = s->codeblock[i].height = 1;
+ show +
39
40
41
42
43
44
45
46
47
48
} else { /* Slice parameters + quantization matrix*/ /*[DIRAC_STD] 11.3.4 Slice coding Parameters (low delay syntax only). slice_parameters() */ s->lowdelay.num_x = svq3_get_ue_golomb(gb); s->lowdelay.num_y = svq3_get_ue_golomb(gb); s->lowdelay.bytes.num = svq3_get_ue_golomb(gb); s->lowdelay.bytes.den = svq3_get_ue_golomb(gb); /* [DIRAC_STD] 11.3.5 Quantisation matrices (low-delay syntax). quant_matrix() */ if (get_bits1(gb)) {

[ffmpeg_CVE-2011-3950_1327593061_dirac_decode_data_unit.diff] dirac_decode_data_unit_OLD.c #1
DiracContext *s = avctx->priv_data; DiracFrame *pic = NULL; int i, parse_code = buf[4]; + unsigned tmp; if (size < DATA_UNIT_HEADER_SIZE) return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2011-3950_before_1mo_1321290073_dirac_decode_data_unit.c
1
2
static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int size) {
+ show +
3
4
5
6
7
8
DiracContext *s = avctx->priv_data; DiracFrame *pic = NULL; int i, parse_code = buf[4]; if (size < DATA_UNIT_HEADER_SIZE) return -1;
+ show +
9
10
11
12
13
14
15
16
17
18
init_get_bits(&s->gb, &buf[13], 8*(size - DATA_UNIT_HEADER_SIZE)); if (parse_code == pc_seq_header) { if (s->seen_sequence_header) return 0; /* [DIRAC_STD] 10. Sequence header */ if (avpriv_dirac_parse_sequence_header(avctx, &s->gb, &s->source)) return -1;

[ffmpeg_CVE-2011-3950_1327593061_dirac_decode_data_unit.diff] dirac_decode_data_unit_OLD.c #2
avcodec_get_frame_defaults(&pic->avframe); /* [DIRAC_STD] Defined in 9.6.1 ... */ - s->num_refs = parse_code & 0x03; /* [DIRAC_STD] num_refs() */ + tmp = parse_code & 0x03; /* [DIRAC_STD] num_refs() */ + if (tmp > 2) { + av_log(avctx, AV_LOG_ERROR, "num_refs of 3\n"); + return -1; + } + s->num_refs = tmp; s->is_arith = (parse_code & 0x48) == 0x08; /* [DIRAC_STD] using_ac() */ s->low_delay = (parse_code & 0x88) == 0x88; /* [DIRAC_STD] is_low_delay() */ pic->avframe.reference = (parse_code & 0x0C) == 0x0C; /* [DIRAC_STD] is_reference() */
.\cloneFuncs\totalClone\Type-1\CVE-2011-3950_before_1mo_1321290073_dirac_decode_data_unit.c
43
44
45
46
47
48
49
50
51
52
/* find an unused frame */ for (i = 0; i < MAX_FRAMES; i++) if (s->all_frames[i].avframe.data[0] == NULL) pic = &s->all_frames[i]; if (!pic) { av_log(avctx, AV_LOG_ERROR, "framelist full\n"); return -1; }
+ show +
53
54
55
56
57
58
59
avcodec_get_frame_defaults(&pic->avframe); /* [DIRAC_STD] Defined in 9.6.1 ... */ s->num_refs = parse_code & 0x03; /* [DIRAC_STD] num_refs() */ s->is_arith = (parse_code & 0x48) == 0x08; /* [DIRAC_STD] using_ac() */ s->low_delay = (parse_code & 0x88) == 0x88; /* [DIRAC_STD] is_low_delay() */ pic->avframe.reference = (parse_code & 0x0C) == 0x0C; /* [DIRAC_STD] is_reference() */
+ show +
60
61
62
63
64
65
66
67
68
69
pic->avframe.key_frame = s->num_refs == 0; /* [DIRAC_STD] is_intra() */ pic->avframe.pict_type = s->num_refs + 1; /* Definition of AVPictureType in avutil.h */ if (avctx->get_buffer(avctx, &pic->avframe) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; } s->current_picture = pic; s->plane[0].stride = pic->avframe.linesize[0]; s->plane[1].stride = pic->avframe.linesize[1];

[ffmpeg_CVE-2011-3951_1329516820_dpcm_decode_frame.diff] dpcm_decode_frame_OLD.c #1
int stereo = s->channels - 1; int16_t *output_samples; + if (stereo && (buf_size & 1)) { + buf_size--; + buf_end--; + } + /* calculate output size */ switch(avctx->codec->id) { case CODEC_ID_ROQ_DPCM:
.\cloneFuncs\totalClone\Type-1\CVE-2011-3951_before_imd_1326056737_dpcm_decode_frame.c
1
2
3
4
5
6
7
8
9
10
static int dpcm_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; const uint8_t *buf_end = buf + buf_size; DPCMContext *s = avctx->priv_data; int out = 0, ret; int predictor[2]; int ch = 0;
+ show +
11
12
13
14
15
16
int stereo = s->channels - 1; int16_t *output_samples; /* calculate output size */ switch(avctx->codec->id) { case CODEC_ID_ROQ_DPCM:
+ show +
17
18
19
20
21
22
23
24
25
26
out = buf_size - 8; break; case CODEC_ID_INTERPLAY_DPCM: out = buf_size - 6 - s->channels; break; case CODEC_ID_XAN_DPCM: out = buf_size - 2 * s->channels; break; case CODEC_ID_SOL_DPCM: if (avctx->codec_tag != 3)
.\cloneFuncs\totalClone\Type-2\CVE-2011-3951_before_1mo_1315325865_dpcm_decode_frame.c
1
2
3
4
5
6
7
8
9
10
static int dpcm_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; const uint8_t *buf_end = buf + buf_size; DPCMContext *s = avctx->priv_data; int out = 0, ret; int predictor[2]; int ch = 0;
+ show +
11
12
13
14
15
16
int stereo = s->channels - 1; int16_t *output_samples; /* calculate output size */ switch(avctx->codec->id) { case CODEC_ID_ROQ_DPCM:
+ show +
17
18
19
20
21
22
23
24
25
26
out = buf_size - 8; break; case CODEC_ID_INTERPLAY_DPCM: out = buf_size - 6 - s->channels; break; case CODEC_ID_XAN_DPCM: out = buf_size - 2 * s->channels; break; case CODEC_ID_SOL_DPCM: if (avctx->codec_tag != 3)

[ffmpeg_CVE-2011-3951_1329516820_dpcm_decode_frame.diff] dpcm_decode_frame_OLD.c #2
*got_frame_ptr = 1; *(AVFrame *)data = s->frame; - return buf_size; + return avpkt->size; }
.\cloneFuncs\totalClone\Type-1\CVE-2012-0848_after_1mo_1329528019_ws_snd_decode_frame.c
31
32
33
34
35
36
37
38
39
40
s->frame.nb_samples = out_size; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } samples = s->frame.data[0]; samples_end = samples + out_size; if (in_size == out_size) { memcpy(samples, buf, out_size);
+ show +
41
42
43
44
*got_frame_ptr = 1; *(AVFrame *)data = s->frame; return buf_size; }
+ show +
45
46
47
48
49
50
51
52
53
54
while (samples < samples_end && buf - avpkt->data < buf_size) { int code, smp, size; uint8_t count; code = *buf >> 6; count = *buf & 0x3F; buf++; /* make sure we don't write past the output buffer */ switch (code) {
.\cloneFuncs\totalClone\Type-1\CVE-2012-0848_before_imd_1315325865_ws_snd_decode_frame.c
31
32
33
34
35
36
37
38
39
40
s->frame.nb_samples = out_size; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } samples = s->frame.data[0]; samples_end = samples + out_size; if (in_size == out_size) { memcpy(samples, buf, out_size);
+ show +
41
42
43
44
*got_frame_ptr = 1; *(AVFrame *)data = s->frame; return buf_size; }
+ show +
45
46
47
48
49
50
51
52
53
54
while (samples < samples_end && buf - avpkt->data < buf_size) { int code, smp, size; uint8_t count; code = *buf >> 6; count = *buf & 0x3F; buf++; /* make sure we don't write past the output buffer */ switch (code) {

[ffmpeg_CVE-2011-3952_1327595449_decode_init.diff] decode_init_OLD.c #1
c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); + if (c->palsize >= MAX_PALSIZE) { + av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n"); + return AVERROR_INVALIDDATA; + } } if (avctx->extradata_size == 1036) { // palette in extradata
.\cloneFuncs\totalClone\Type-1\CVE-2011-3952_before_1mo_1323701694_decode_init.c
14
15
16
17
18
19
20
21
22
23
c->frm1 = av_mallocz(320 * 200); c->cur = c->frm0; c->prev = c->frm1; for (i = 0; i < 256; i++) { c->pal[i] = i * 0x10101; } if (avctx->extradata_size < 12) { av_log(NULL, 0, "Extradata missing, decoding may not work properly...\n");
+ show +
24
25
26
27
28
29
c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); } if (avctx->extradata_size == 1036) { // palette in extradata
+ show +
30
31
32
33
34
35
36
37
38
39
uint8_t *src = avctx->extradata + 12; for (i = 0; i < 256; i++) { c->pal[i] = AV_RL32(src); src += 4; } c->setpal = 1; } avctx->pix_fmt = PIX_FMT_PAL8;

[openssl_CVE-2011-4109_1326910527_dtls1_process_record.diff] dtls1_process_record_OLD.c #1
unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; int decryption_failed_or_bad_record_mac = 0; + unsigned char *mac = NULL; rr= &(s->s3->rrec);
.\cloneFuncs\totalClone\Type-1\CVE-2011-4109_before_imd_1325721146_dtls1_process_record.c
1
2
3
4
5
6
7
8
static int dtls1_process_record(SSL *s) { int i,al; int clear=0; int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr;
+ show +
9
10
11
12
13
14
unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; int decryption_failed_or_bad_record_mac = 0; rr= &(s->s3->rrec);
+ show +
15
16
17
18
19
20
21
22
23
24
sess = s->session; /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, * and we have that many bytes in s->packet */ rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]); /* ok, we can now read from 's->packet' data into 'rr' * rr->input points at rr->length bytes, which * need to be copied into rr->data by either

[openssl_CVE-2011-4109_1326910527_dtls1_process_record.diff] dtls1_process_record_OLD.c #2
#endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ - if (rr->length < mac_size) + if (rr->length >= mac_size) { -#if 0 /* OK only for stream ciphers */ - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); - goto f_err; -#else - decryption_failed_or_bad_record_mac = 1; -#endif + rr->length -= mac_size; + mac = &rr->data[rr->length]; } - rr->length-=mac_size; + else + rr->length = 0; i=s->method->ssl3_enc->mac(s,md,0); - if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) + if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) { decryption_failed_or_bad_record_mac = 1; }
.\cloneFuncs\totalClone\Type-1\CVE-2011-4109_before_imd_1325721146_dtls1_process_record.c
70
71
72
73
74
75
76
77
78
79
mac_size=t; if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) { #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else decryption_failed_or_bad_record_mac = 1;
+ show +
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ if (rr->length < mac_size) { #if 0 /* OK only for stream ciphers */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else decryption_failed_or_bad_record_mac = 1; #endif } rr->length-=mac_size; i=s->method->ssl3_enc->mac(s,md,0); if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) { decryption_failed_or_bad_record_mac = 1; }
+ show +
99
100
101
102
103
104
105
106
107
108
} if (decryption_failed_or_bad_record_mac) { /* decryption failed, silently discard message */ rr->length = 0; s->packet_length = 0; goto err; }

[qemu_CVE-2011-4111_1322508457_ccid_card_vscard_handle_message.diff] ccid_card_vscard_handle_message_OLD.c #1
error_report("ATR size exceeds spec, ignoring"); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_GENERAL_ERROR); + break; } memcpy(card->atr, data, scr_msg_header->length); card->atr_length = scr_msg_header->length;
.\cloneFuncs\totalClone\Type-1\CVE-2011-4111_before_1mo_1313425048_ccid_card_vscard_handle_message.c
1
2
3
4
5
6
7
8
9
static void ccid_card_vscard_handle_message(PassthruState *card, VSCMsgHeader *scr_msg_header) { uint8_t *data = (uint8_t *)&scr_msg_header[1]; switch (scr_msg_header->type) { case VSC_ATR: DPRINTF(card, D_INFO, "VSC_ATR %d\n", scr_msg_header->length); if (scr_msg_header->length > MAX_ATR_SIZE) {
+ show +
10
11
12
13
14
15
error_report("ATR size exceeds spec, ignoring"); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_GENERAL_ERROR); } memcpy(card->atr, data, scr_msg_header->length); card->atr_length = scr_msg_header->length;
+ show +
16
17
18
19
20
21
22
23
24
25
ccid_card_card_inserted(&card->base); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_SUCCESS); break; case VSC_APDU: ccid_card_send_apdu_to_guest( &card->base, data, scr_msg_header->length); break; case VSC_CardRemove: DPRINTF(card, D_INFO, "VSC_CardRemove\n");

[ffmpeg_CVE-2011-4352_1322989833_render_slice.diff] render_slice_OLD.c #1
/* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { - vp3_dequant(s, s->all_fragments + i, plane, 0, block); + int index; + index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); + if (index > 63) + continue; if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put(
.\cloneFuncs\totalClone\Type-1\CVE-2011-4352_before_1mo_1319993531_render_slice.c
109
110
111
112
113
114
115
116
117
118
s->dsp.put_no_rnd_pixels_l2[1]( output_plane + first_pixel, motion_source - d, motion_source + stride + 1 + d, stride, 8); } } s->dsp.clear_block(block);
+ show +
119
120
121
122
123
124
125
/* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { vp3_dequant(s, s->all_fragments + i, plane, 0, block); if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put(
+ show +
126
127
128
129
130
131
132
133
134
135
output_plane + first_pixel, stride, block); } else { if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { s->dsp.idct_add( output_plane + first_pixel, stride, block); } else {
.\cloneFuncs\totalClone\Type-2\CVE-2011-4352_before_6mo_1304096037_render_slice.c
109
110
111
112
113
114
115
116
117
118
s->dsp.put_no_rnd_pixels_l2[1]( output_plane + first_pixel, motion_source - d, motion_source + stride + 1 + d, stride, 8); } } s->dsp.clear_block(block);
+ show +
119
120
121
122
123
124
125
/* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { vp3_dequant(s, s->all_fragments + i, plane, 0, block); if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put(
+ show +
126
127
128
129
130
131
132
133
134
135
output_plane + first_pixel, stride, block); } else { if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { s->dsp.idct_add( output_plane + first_pixel, stride, block); } else {

[ffmpeg_CVE-2011-4352_1322989833_render_slice.diff] render_slice_OLD.c #2
stride, block); } else { - if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { + int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); + if (index > 63) + continue; + if (index > 0) { s->dsp.idct_add( output_plane + first_pixel, stride,
.\cloneFuncs\totalClone\Type-1\CVE-2011-4352_before_1mo_1319993531_render_slice.c
117
118
119
120
121
122
123
124
125
126
s->dsp.clear_block(block); /* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { vp3_dequant(s, s->all_fragments + i, plane, 0, block); if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put( output_plane + first_pixel,
+ show +
127
128
129
130
131
132
133
stride, block); } else { if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { s->dsp.idct_add( output_plane + first_pixel, stride,
+ show +
134
135
136
137
138
139
140
141
142
143
block); } else { s->dsp.vp3_idct_dc_add(output_plane + first_pixel, stride, block); } } } else { /* copy directly from the previous frame */ s->dsp.put_pixels_tab[1][0]( output_plane + first_pixel,
.\cloneFuncs\totalClone\Type-2\CVE-2011-4352_before_6mo_1304096037_render_slice.c
117
118
119
120
121
122
123
124
125
126
s->dsp.clear_block(block); /* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { vp3_dequant(s, s->all_fragments + i, plane, 0, block); if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put( output_plane + first_pixel,
+ show +
127
128
129
130
131
132
133
stride, block); } else { if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { s->dsp.idct_add( output_plane + first_pixel, stride,
+ show +
134
135
136
137
138
139
140
141
142
143
block); } else { s->dsp.vp3_idct_dc_add(output_plane + first_pixel, stride, block); } } } else { /* copy directly from the previous frame */ s->dsp.put_pixels_tab[1][0]( output_plane + first_pixel,

[ffmpeg_CVE-2011-4352_1322989833_vp3_dequant.diff] vp3_dequant_OLD.c #1
case 1: // zero run s->dct_tokens[plane][i]++; i += (token >> 2) & 0x7f; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n"); + return i; + } block[perm[i]] = (token >> 9) * dequantizer[perm[i]]; i++; break;
.\cloneFuncs\totalClone\Type-1\CVE-2011-4352_before_1mo_1319993531_vp3_dequant.c
7
8
9
10
11
12
13
14
15
16
do { int token = *s->dct_tokens[plane][i]; switch (token & 3) { case 0: // EOB if (--token < 4) // 0-3 are token types, so the EOB run must now be 0 s->dct_tokens[plane][i]++; else *s->dct_tokens[plane][i] = token & ~3; goto end;
+ show +
17
18
19
20
21
22
case 1: // zero run s->dct_tokens[plane][i]++; i += (token >> 2) & 0x7f; block[perm[i]] = (token >> 9) * dequantizer[perm[i]]; i++; break;
+ show +
23
24
25
26
27
28
29
30
31
32
case 2: // coeff block[perm[i]] = (token >> 2) * dequantizer[perm[i]]; s->dct_tokens[plane][i++]++; break; default: // shouldn't happen return i; } } while (i < 64); end: // the actual DC+prediction is in the fragment structure

[openssl_CVE-2011-4576_1325718975_ssl3_enc.diff] ssl3_enc_OLD.c #1
/* we need to add 'i-1' padding bytes */ l+=i; + /* the last of these zero bytes will be overwritten + * with the padding length. */ + memset(&rec->input[rec->length], 0, i); rec->length+=i; rec->input[l-1]=(i-1); }
.\cloneFuncs\totalClone\Type-1\CVE-2011-4576_before_1mo_1305903389_ssl3_enc.c
35
36
37
38
39
40
41
42
43
44
{ l=rec->length; bs=EVP_CIPHER_block_size(ds->cipher); /* COMPRESS */ if ((bs != 1) && send) { i=bs-((int)l%bs);
+ show +
45
46
47
48
49
/* we need to add 'i-1' padding bytes */ l+=i; rec->length+=i; rec->input[l-1]=(i-1); }
+ show +
50
51
52
53
54
55
56
57
58
59
if (!send) { if (l == 0 || l%bs != 0) { SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); return 0; } /* otherwise, rec->length >= bs */

[openssl_CVE-2011-4577_1325718114_addr_expand.diff] addr_expand_OLD.c #1
-static void addr_expand(unsigned char *addr, +static int addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length, const unsigned char fill) { - OPENSSL_assert(bs->length >= 0 && bs->length <= length); + if (bs->length < 0 || bs->length > length) + return 0; if (bs->length > 0) { memcpy(addr, bs->data, bs->length); if ((bs->flags & 7) != 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2011-4577_before_1mo_1318121812_addr_expand.c
+ show +
1
2
3
4
5
6
7
8
9
static void addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length, const unsigned char fill) { OPENSSL_assert(bs->length >= 0 && bs->length <= length); if (bs->length > 0) { memcpy(addr, bs->data, bs->length); if ((bs->flags & 7) != 0) {
+ show +
10
11
12
13
14
15
16
17
18
unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); if (fill == 0) addr[bs->length - 1] &= ~mask; else addr[bs->length - 1] |= mask; } } memset(addr + bs->length, fill, length - bs->length); }

[openssl_CVE-2011-4577_1325718114_i2r_address.diff] i2r_address_OLD.c #1
return 0; switch (afi) { case IANA_AFI_IPV4: - if (bs->length > 4) + if (!addr_expand(addr, bs, 4, fill)) return 0; - addr_expand(addr, bs, 4, fill); BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); break; case IANA_AFI_IPV6: - if (bs->length > 16) + if (!addr_expand(addr, bs, 16, fill)) return 0; - addr_expand(addr, bs, 16, fill); for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) ; for (i = 0; i < n; i += 2)
.\cloneFuncs\totalClone\Type-1\CVE-2011-4577_before_1mo_1318121812_i2r_address.c
1
2
3
4
5
6
7
8
9
static int i2r_address(BIO *out, const unsigned afi, const unsigned char fill, const ASN1_BIT_STRING *bs) { unsigned char addr[ADDR_RAW_BUF_LEN]; int i, n; if (bs->length < 0)
+ show +
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
return 0; switch (afi) { case IANA_AFI_IPV4: if (bs->length > 4) return 0; addr_expand(addr, bs, 4, fill); BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); break; case IANA_AFI_IPV6: if (bs->length > 16) return 0; addr_expand(addr, bs, 16, fill); for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) ; for (i = 0; i < n; i += 2)
+ show +
25
26
27
28
29
30
31
32
33
34
BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); if (i < 16) BIO_puts(out, ":"); if (i == 0) BIO_puts(out, ":"); break; default: for (i = 0; i < bs->length; i++) BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); BIO_printf(out, "[%d]", (int) (bs->flags & 7));

[openssl_CVE-2011-4577_1325718114_v3_addr_is_canonical.diff] v3_addr_is_canonical_OLD.c #1
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); - extract_min_max(a, a_min, a_max, length); - extract_min_max(b, b_min, b_max, length); + if (!extract_min_max(a, a_min, a_max, length) || + !extract_min_max(b, b_min, b_max, length)) + return 0; /* * Punt misordered list, overlapping start, or inverted range.
.\cloneFuncs\totalClone\Type-1\CVE-2011-4577_before_1mo_1318121812_v3_addr_is_canonical.c
43
44
45
46
47
48
49
50
51
52
return 0; } /* * It's an IPAddressOrRanges sequence, check it. */ aors = f->ipAddressChoice->u.addressesOrRanges; if (sk_IPAddressOrRange_num(aors) == 0) return 0; for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
+ show +
53
54
55
56
57
58
59
60
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); extract_min_max(a, a_min, a_max, length); extract_min_max(b, b_min, b_max, length); /* * Punt misordered list, overlapping start, or inverted range.
+ show +
61
62
63
64
65
66
67
68
69
70
*/ if (memcmp(a_min, b_min, length) >= 0 || memcmp(a_min, a_max, length) > 0 || memcmp(b_min, b_max, length) > 0) return 0; /* * Punt if adjacent or overlapping. Check for adjacency by * subtracting one from b_min first. */
.\cloneFuncs\totalClone\Type-3\CVE-2011-4577_before_6mo_1294018853_v3_addr_is_canonical.c
43
44
45
46
47
48
49
50
51
52
return 0; } /* * It's an IPAddressOrRanges sequence, check it. */ aors = f->ipAddressChoice->u.addressesOrRanges; if (sk_IPAddressOrRange_num(aors) == 0) return 0; for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
+ show +
53
54
55
56
57
58
59
60
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); extract_min_max(a, a_min, a_max, length); extract_min_max(b, b_min, b_max, length); /* * Punt misordered list, overlapping start, or inverted range.
+ show +
61
62
63
64
65
66
67
68
69
70
*/ if (memcmp(a_min, b_min, length) >= 0 || memcmp(a_min, a_max, length) > 0 || memcmp(b_min, b_max, length) > 0) return 0; /* * Punt if adjacent or overlapping. Check for adjacency by * subtracting one from b_min first. */

[openssl_CVE-2011-4577_1325718114_v3_addr_is_canonical.diff] v3_addr_is_canonical_OLD.c #2
{ IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); if (a != NULL && a->type == IPAddressOrRange_addressRange) { - extract_min_max(a, a_min, a_max, length); + if (!extract_min_max(a, a_min, a_max, length)) + return 0; if (memcmp(a_min, a_max, length) > 0 || range_should_be_prefix(a_min, a_max, length) >= 0) return 0;
.\cloneFuncs\totalClone\Type-1\CVE-2011-4577_before_1mo_1318121812_v3_addr_is_canonical.c
79
80
81
82
83
84
85
86
87
88
if (a->type == IPAddressOrRange_addressRange && range_should_be_prefix(a_min, a_max, length) >= 0) return 0; } /* * Check range to see if it's inverted or should be a * prefix. */ j = sk_IPAddressOrRange_num(aors) - 1;
+ show +
89
90
91
92
93
94
95
{ IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); if (a != NULL && a->type == IPAddressOrRange_addressRange) { extract_min_max(a, a_min, a_max, length); if (memcmp(a_min, a_max, length) > 0 || range_should_be_prefix(a_min, a_max, length) >= 0) return 0;
+ show +
96
97
98
99
100
101
102
103
104
} } } /* * If we made it through all that, we're happy. */ return 1; }

[openssl_CVE-2011-4577_1325718114_IPAddressOrRanges_canonize.diff] IPAddressOrRanges_canonize_OLD.c #1
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; - extract_min_max(a, a_min, a_max, length); - extract_min_max(b, b_min, b_max, length); + if (!extract_min_max(a, a_min, a_max, length) || + !extract_min_max(b, b_min, b_max, length)) + return 0; /* * Punt inverted ranges.
.\cloneFuncs\totalClone\Type-1\CVE-2011-4577_before_imd_1325688347_IPAddressOrRanges_canonize.c
7
8
9
10
11
12
13
14
15
16
* Sort the IPAddressOrRanges sequence. */ sk_IPAddressOrRange_sort(aors); /* * Clean up representation issues, punt on duplicates or overlaps. */ for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
+ show +
17
18
19
20
21
22
23
24
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; extract_min_max(a, a_min, a_max, length); extract_min_max(b, b_min, b_max, length); /* * Punt inverted ranges.
+ show +
25
26
27
28
29
30
31
32
33
34
*/ if (memcmp(a_min, a_max, length) > 0 || memcmp(b_min, b_max, length) > 0) return 0; /* * Punt overlaps. */ if (memcmp(a_max, b_min, length) >= 0) return 0;
.\cloneFuncs\totalClone\Type-2\CVE-2011-4577_before_1mo_1318121812_IPAddressOrRanges_canonize.c
7
8
9
10
11
12
13
14
15
16
* Sort the IPAddressOrRanges sequence. */ sk_IPAddressOrRange_sort(aors); /* * Clean up representation issues, punt on duplicates or overlaps. */ for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
+ show +
17
18
19
20
21
22
23
24
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; extract_min_max(a, a_min, a_max, length); extract_min_max(b, b_min, b_max, length); /* * Punt inverted ranges.
+ show +
25
26
27
28
29
30
31
32
33
34
*/ if (memcmp(a_min, a_max, length) > 0 || memcmp(b_min, b_max, length) > 0) return 0; /* * Punt overlaps. */ if (memcmp(a_max, b_min, length) >= 0) return 0;

[ffmpeg_CVE-2011-4579_1321639821_svq1_decode_frame.diff] svq1_decode_frame_OLD.c #1
av_dlog(s->avctx, "Error in svq1_decode_frame_header %i\n",result); return result; } + avcodec_set_dimensions(avctx, s->width, s->height); //FIXME this avoids some confusion for "B frames" without 2 references //this should be removed after libavcodec can handle more flexible picture types & ordering
.\cloneFuncs\totalClone\Type-1\CVE-2011-4579_before_1mo_1310900071_svq1_decode_frame.c
25
26
27
28
29
30
31
32
33
34
for (i=0; i < 4; i++) { src[i] = ((src[i] << 16) | (src[i] >> 16)) ^ src[7 - i]; } } result = svq1_decode_frame_header (&s->gb, s); if (result != 0) {
+ show +
35
36
37
38
39
40
av_dlog(s->avctx, "Error in svq1_decode_frame_header %i\n",result); return result; } //FIXME this avoids some confusion for "B frames" without 2 references //this should be removed after libavcodec can handle more flexible picture types & ordering
+ show +
41
42
43
44
45
46
47
48
49
50
if(s->pict_type==AV_PICTURE_TYPE_B && s->last_picture_ptr==NULL) return buf_size; if( (avctx->skip_frame >= AVDISCARD_NONREF && s->pict_type==AV_PICTURE_TYPE_B) ||(avctx->skip_frame >= AVDISCARD_NONKEY && s->pict_type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) return buf_size; if(MPV_frame_start(s, avctx) < 0) return -1;

[openssl_CVE-2011-4619_1329405964_ssl3_check_client_hello.diff] ssl3_check_client_hello_OLD.c #1
int ok; long n; - /* We only allow the client to restart the handshake once per - * negotiation. */ - if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) - { - SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); - return -1; - } - /* this function is called when we really expect a Certificate message, * so permit appropriate message length */ n=s->method->ssl_get_message(s,
.\cloneFuncs\totalClone\Type-1\CVE-2011-4619_before_1mo_1326737954_ssl3_check_client_hello.c
1
2
int ssl3_check_client_hello(SSL *s) {
+ show +
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int ok; long n; /* We only allow the client to restart the handshake once per * negotiation. */ if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) { SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); return -1; } /* this function is called when we really expect a Certificate message, * so permit appropriate message length */ n=s->method->ssl_get_message(s,
+ show +
17
18
19
20
21
22
23
24
25
26
SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); s->s3->tmp.reuse_message = 1; if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { /* Throw away what we have done so far in the current handshake,

[openssl_CVE-2011-4619_1329405964_ssl3_check_client_hello.diff] ssl3_check_client_hello_OLD.c #2
s->s3->tmp.reuse_message = 1; if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { + /* We only allow the client to restart the handshake once per + * negotiation. */ + if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) + { + SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); + return -1; + } /* Throw away what we have done so far in the current handshake, * which will now be aborted. (A full SSL_clear would be too much.) */ #ifndef OPENSSL_NO_DH
.\cloneFuncs\totalClone\Type-1\CVE-2011-4619_before_1mo_1326737954_ssl3_check_client_hello.c
13
14
15
16
17
18
19
20
21
22
/* this function is called when we really expect a Certificate message, * so permit appropriate message length */ n=s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n);
+ show +
23
24
25
26
27
28
s->s3->tmp.reuse_message = 1; if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { /* Throw away what we have done so far in the current handshake, * which will now be aborted. (A full SSL_clear would be too much.) */ #ifndef OPENSSL_NO_DH
+ show +
29
30
31
32
33
34
35
36
37
38
if (s->s3->tmp.dh != NULL) { DH_free(s->s3->tmp.dh); s->s3->tmp.dh = NULL; } #endif #ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) { EC_KEY_free(s->s3->tmp.ecdh);

[openssl_CVE-2012-0027_1325718220_pkey_GOST94cp_decrypt.diff] pkey_GOST94cp_decrypt_OLD.c #1
} param = get_encryption_params(gkt->key_agreement_info->cipher); + if(!param){ + goto err; + } + gost_init(&cctx,param->sblock); OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8); memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);
.\cloneFuncs\totalClone\Type-1\CVE-2012-0027_before_1mo_1264555101_pkey_GOST94cp_decrypt.c
40
41
42
43
44
45
46
47
48
49
GOST_R_CTRL_CALL_FAILED); goto err; } } peerkey = EVP_PKEY_CTX_get0_peerkey(ctx); if (!peerkey) { GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT, GOST_R_NO_PEER_KEY); goto err;
+ show +
50
51
52
53
54
55
} param = get_encryption_params(gkt->key_agreement_info->cipher); gost_init(&cctx,param->sblock); OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8); memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);
+ show +
56
57
58
59
60
61
62
63
64
65
OPENSSL_assert(gkt->key_info->encrypted_key->length==32); memcpy(wrappedKey+8,gkt->key_info->encrypted_key->data,32); OPENSSL_assert(gkt->key_info->imit->length==4); memcpy(wrappedKey+40,gkt->key_info->imit->data,4); make_cp_exchange_key(gost_get0_priv_key(priv),peerkey,sharedKey); if (!keyUnwrapCryptoPro(&cctx,sharedKey,wrappedKey,key)) { GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT, GOST_R_ERROR_COMPUTING_SHARED_KEY); goto err;

[qemu_CVE-2012-0029_1327325443_process_tx_desc.diff] process_tx_desc_OLD.c #1
bytes = split_size; if (tp->size + bytes > msh) bytes = msh - tp->size; + + bytes = MIN(sizeof(tp->data) - tp->size, bytes); pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes); if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) memmove(tp->header, tp->data, hdr);
.\cloneFuncs\totalClone\Type-1\CVE-2012-0029_before_1mo_1320041212_process_tx_desc.c
47
48
49
50
51
52
53
54
55
56
le16_to_cpup((uint16_t *)(s->mac_reg + VET))); cpu_to_be16wu((uint16_t *)(tp->vlan_header + 2), le16_to_cpu(dp->upper.fields.special)); } addr = le64_to_cpu(dp->buffer_addr); if (tp->tse && tp->cptse) { hdr = tp->hdr_len; msh = hdr + tp->mss; do {
+ show +
57
58
59
60
61
62
bytes = split_size; if (tp->size + bytes > msh) bytes = msh - tp->size; pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes); if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) memmove(tp->header, tp->data, hdr);
+ show +
63
64
65
66
67
68
69
70
71
72
tp->size = sz; addr += bytes; if (sz == msh) { xmit_seg(s); memmove(tp->data, tp->header, hdr); tp->size = hdr; } } while (split_size -= bytes); } else if (!tp->tse && tp->cptse) { // context descriptor TSE is not set, while data descriptor TSE is set

[qemu_CVE-2012-0029_1327325443_process_tx_desc.diff] process_tx_desc_OLD.c #2
// context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentaion Error\n"); } else { + split_size = MIN(sizeof(tp->data) - tp->size, split_size); pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size); tp->size += split_size; }
.\cloneFuncs\totalClone\Type-1\CVE-2012-0029_before_1mo_1320041212_process_tx_desc.c
62
63
64
65
66
67
68
69
70
71
memmove(tp->header, tp->data, hdr); tp->size = sz; addr += bytes; if (sz == msh) { xmit_seg(s); memmove(tp->data, tp->header, hdr); tp->size = hdr; } } while (split_size -= bytes); } else if (!tp->tse && tp->cptse) {
+ show +
72
73
74
75
76
77
// context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentaion Error\n"); } else { pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size); tp->size += split_size; }
+ show +
78
79
80
81
82
83
84
85
86
87
if (!(txd_lower & E1000_TXD_CMD_EOP)) return; if (!(tp->tse && tp->cptse && tp->size < hdr)) xmit_seg(s); tp->tso_frames = 0; tp->sum_needed = 0; tp->vlan_needed = 0; tp->size = 0; tp->cptse = 0;

[ffmpeg_CVE-2012-0848_1324768227_ws_snd_decode_frame.diff] ws_snd_decode_frame_OLD.c #1
/* make sure we don't write past the output buffer */ switch (code) { - case 0: smp = 4; break; - case 1: smp = 2; break; + case 0: smp = 4 * (count + 1); break; + case 1: smp = 2 * (count + 1); break; case 2: smp = (count & 0x20) ? 1 : count + 1; break; default: smp = count + 1; break; }
.\cloneFuncs\totalClone\Type-1\CVE-2012-0848_before_imd_1315325865_ws_snd_decode_frame.c
43
44
45
46
47
48
49
50
51
52
return buf_size; } while (samples < samples_end && buf - avpkt->data < buf_size) { int code, smp, size; uint8_t count; code = *buf >> 6; count = *buf & 0x3F; buf++;
+ show +
53
54
55
56
57
58
59
/* make sure we don't write past the output buffer */ switch (code) { case 0: smp = 4; break; case 1: smp = 2; break; case 2: smp = (count & 0x20) ? 1 : count + 1; break; default: smp = count + 1; break; }
+ show +
60
61
62
63
64
65
66
67
68
69
if (samples_end - samples < smp) break; /* make sure we don't read past the input buffer */ size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1; if ((buf - avpkt->data) + size > buf_size) break; switch (code) { case 0: /* ADPCM 2-bit */
.\cloneFuncs\totalClone\Type-3\CVE-2012-0848_before_1mo_1315837736_ws_snd_decode_frame.c
37
38
39
40
41
42
43
44
45
46
return buf_size; } while (samples < samples_end && buf - avpkt->data < buf_size) { int code, smp, size; uint8_t count; code = *buf >> 6; count = *buf & 0x3F; buf++;
+ show +
47
48
49
50
51
52
53
/* make sure we don't write past the output buffer */ switch (code) { case 0: smp = 4; break; case 1: smp = 2; break; case 2: smp = (count & 0x20) ? 1 : count + 1; break; default: smp = count + 1; break; }
+ show +
54
55
56
57
58
59
60
61
62
63
if (samples_end - samples < smp) break; /* make sure we don't read past the input buffer */ size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1; if ((buf - avpkt->data) + size > buf_size) break; switch (code) { case 0: /* ADPCM 2-bit */

[ffmpeg_CVE-2012-0947_1335183393_vqa_decode_init.diff] vqa_decode_init_OLD.c #1
return -1; } + if (s->width & (s->vector_width - 1) || + s->height & (s->vector_height - 1)) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size);
.\cloneFuncs\totalClone\Type-1\CVE-2012-0947_before_1mo_1332368371_vqa_decode_init.c
21
22
23
24
25
26
27
28
29
30
return -1; } s->vector_width = s->avctx->extradata[10]; s->vector_height = s->avctx->extradata[11]; s->partial_count = s->partial_countdown = s->avctx->extradata[13]; /* the vector dimensions have to meet very stringent requirements */ if ((s->vector_width != 4) || ((s->vector_height != 2) && (s->vector_height != 4))) { /* return without further initialization */
+ show +
31
32
33
34
35
36
return -1; } /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size);
+ show +
37
38
39
40
41
42
43
44
45
46
if (!s->codebook) goto fail; s->next_codebook_buffer = av_malloc(s->codebook_size); if (!s->next_codebook_buffer) goto fail; /* allocate decode buffer */ s->decode_buffer_size = (s->width / s->vector_width) * (s->height / s->vector_height) * 2; s->decode_buffer = av_malloc(s->decode_buffer_size);
.\cloneFuncs\totalClone\Type-3\CVE-2012-0947_before_6mo_1310900071_vqa_decode_init.c
23
24
25
26
27
28
29
30
31
32
return -1; } s->vector_width = vqa_header[10]; s->vector_height = vqa_header[11]; s->partial_count = s->partial_countdown = vqa_header[13]; /* the vector dimensions have to meet very stringent requirements */ if ((s->vector_width != 4) || ((s->vector_height != 2) && (s->vector_height != 4))) { /* return without further initialization */
+ show +
33
34
35
36
37
38
return -1; } /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size);
+ show +
39
40
41
42
43
44
45
46
47
48
s->next_codebook_buffer = av_malloc(s->codebook_size); /* initialize the solid-color vectors */ if (s->vector_height == 4) { codebook_index = 0xFF00 * 16; for (i = 0; i < 256; i++) for (j = 0; j < 16; j++) s->codebook[codebook_index++] = i; } else { codebook_index = 0xF00 * 8;

[libtiff_CVE-2012-1173_1333730791_gtStripSeparate.diff] gtStripSeparate_OLD.c #1
uint32 rowsperstrip, offset_row; uint32 imagewidth = img->width; tmsize_t stripsize; + tmsize_t bufsize; int32 fromskew, toskew; int alpha = img->alpha; int ret = 1, flip, colorchannels; stripsize = TIFFStripSize(tif); - p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); + bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); + if (bufsize == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); + return (0); + } + p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); return (0); } - _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); + _TIFFmemset(buf, 0, bufsize); p1 = p0 + stripsize; p2 = p1 + stripsize; pa = (alpha?(p2+stripsize):NULL);
.\cloneFuncs\totalClone\Type-1\CVE-2012-1173_before_1mo_1278077950_gtStripSeparate.c
1
2
3
4
5
6
7
8
9
10
static int gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) { TIFF* tif = img->tif; tileSeparateRoutine put = img->put.separate; unsigned char *buf; unsigned char *p0, *p1, *p2, *pa; uint32 row, y, nrow, rowstoread; tmsize_t pos; tmsize_t scanline;
+ show +
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
uint32 rowsperstrip, offset_row; uint32 imagewidth = img->width; tmsize_t stripsize; int32 fromskew, toskew; int alpha = img->alpha; int ret = 1, flip, colorchannels; stripsize = TIFFStripSize(tif); p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); return (0); } _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); p1 = p0 + stripsize; p2 = p1 + stripsize; pa = (alpha?(p2+stripsize):NULL);
+ show +
28
29
30
31
32
33
34
35
36
37
flip = setorientation(img); if (flip & FLIP_VERTICALLY) { y = h - 1; toskew = -(int32)(w + w); } else { y = 0; toskew = -(int32)(w - w); }

[libtiff_CVE-2012-1173_1333730791_gtTileSeparate.diff] gtTileSeparate_OLD.c #1
unsigned char* p2; unsigned char* pa; tmsize_t tilesize; + tmsize_t bufsize; int32 fromskew, toskew; int alpha = img->alpha; uint32 nrow;
.\cloneFuncs\totalClone\Type-1\CVE-2012-1173_before_1mo_1278077950_gtTileSeparate.c
2
3
4
5
6
7
8
9
10
11
gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) { TIFF* tif = img->tif; tileSeparateRoutine put = img->put.separate; uint32 col, row, y, rowstoread; tmsize_t pos; uint32 tw, th; unsigned char* buf; unsigned char* p0; unsigned char* p1;
+ show +
12
13
14
15
16
17
unsigned char* p2; unsigned char* pa; tmsize_t tilesize; int32 fromskew, toskew; int alpha = img->alpha; uint32 nrow;
+ show +
18
19
20
21
22
23
24
25
26
27
int ret = 1, flip; int colorchannels; tilesize = TIFFTileSize(tif); buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); return (0); } _TIFFmemset(buf, 0, (alpha?4:3)*tilesize);

[libtiff_CVE-2012-1173_1333730791_gtTileSeparate.diff] gtTileSeparate_OLD.c #2
int colorchannels; tilesize = TIFFTileSize(tif); - buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); + bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); + if (bufsize == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); + return (0); + } + buf = (unsigned char*) _TIFFmalloc(bufsize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); return (0); } - _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); + _TIFFmemset(buf, 0, bufsize); p0 = buf; p1 = p0 + tilesize; p2 = p1 + tilesize;
.\cloneFuncs\totalClone\Type-1\CVE-2012-1173_before_1mo_1278077950_gtTileSeparate.c
9
10
11
12
13
14
15
16
17
18
unsigned char* buf; unsigned char* p0; unsigned char* p1; unsigned char* p2; unsigned char* pa; tmsize_t tilesize; int32 fromskew, toskew; int alpha = img->alpha; uint32 nrow; int ret = 1, flip;
+ show +
19
20
21
22
23
24
25
26
27
28
29
30
int colorchannels; tilesize = TIFFTileSize(tif); buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); return (0); } _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); p0 = buf; p1 = p0 + tilesize; p2 = p1 + tilesize;
+ show +
31
32
33
34
35
36
37
38
39
40
pa = (alpha?(p2+tilesize):NULL); TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); flip = setorientation(img); if (flip & FLIP_VERTICALLY) { y = h - 1; toskew = -(int32)(tw + w); } else {

[openssl_CVE-2012-2110_1334852396_CRYPTO_realloc_clean.diff] CRYPTO_realloc_clean_OLD.c #1
if (num <= 0) return NULL; + /* We don't support shrinking the buffer. Note the memcpy that copies + * |old_len| bytes to the new buffer, below. */ + if (num < old_len) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret=malloc_ex_func(num,file,line);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2110_before_1mo_1301672763_CRYPTO_realloc_clean.c
1
2
3
4
5
6
7
8
void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, int line) { void *ret = NULL; if (str == NULL) return CRYPTO_malloc(num, file, line);
+ show +
9
10
11
12
13
if (num <= 0) return NULL; if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret=malloc_ex_func(num,file,line);
+ show +
14
15
16
17
18
19
20
21
22
23
if(ret) { memcpy(ret,str,old_len); OPENSSL_cleanse(str,old_len); free_func(str); } #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: | 0x%p -> 0x%p (%d)\n", str, ret, num);

[libtiff_CVE-2012-2113_1339796671_t2p_read_tiff_size.diff] t2p_read_tiff_size_OLD.c #1
tstrip_t i=0; tstrip_t stripcount=0; #endif -#ifdef OJPEG_SUPPORT - tsize_t k = 0; -#endif + uint64 k = 0; if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT
.\cloneFuncs\totalClone\Type-1\CVE-2012-2113_before_1mo_1306861030_t2p_read_tiff_size.c
1
2
3
4
5
void t2p_read_tiff_size(T2P* t2p, TIFF* input){ uint64* sbc=NULL; #if defined(JPEG_SUPPORT) || defined (OJPEG_SUPPORT) unsigned char* jpt=NULL;
+ show +
6
7
8
9
10
11
12
13
14
tstrip_t i=0; tstrip_t stripcount=0; #endif #ifdef OJPEG_SUPPORT tsize_t k = 0; #endif if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT
+ show +
15
16
17
18
19
20
21
22
23
24
if(t2p->pdf_compression == T2P_COMPRESS_G4 ){ TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc); t2p->tiff_datasize=(tmsize_t)sbc[0]; return; } #endif #ifdef ZIP_SUPPORT if(t2p->pdf_compression == T2P_COMPRESS_ZIP){ TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc); t2p->tiff_datasize=(tmsize_t)sbc[0];

[libtiff_CVE-2012-2113_1339796671_t2p_read_tiff_size.diff] t2p_read_tiff_size_OLD.c #2
} stripcount=TIFFNumberOfStrips(input); for(i=0;i<stripcount;i++){ - k += sbc[i]; + k = checkAdd64(k, sbc[i], t2p); } if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ if(t2p->tiff_dataoffset != 0){ if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ - if(t2p->tiff_datasize < k) { - t2p->pdf_ojpegiflength=t2p->tiff_datasize; - t2p->tiff_datasize+=k; - t2p->tiff_datasize+=6; - t2p->tiff_datasize+=2*stripcount; + if((uint64)t2p->tiff_datasize < k) { TIFFWarning(TIFF2PDF_MODULE, "Input file %s has short JPEG interchange file byte count", TIFFFileName(input)); + t2p->pdf_ojpegiflength=t2p->tiff_datasize; + k = checkAdd64(k, t2p->tiff_datasize, t2p); + k = checkAdd64(k, 6, t2p); + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, stripcount, t2p); + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } return;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2113_before_1mo_1306861030_t2p_read_tiff_size.c
26
27
28
29
30
31
32
33
34
35
} #endif #ifdef OJPEG_SUPPORT if(t2p->tiff_compression == COMPRESSION_OJPEG){ if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ TIFFError(TIFF2PDF_MODULE, "Input file %s missing field: TIFFTAG_STRIPBYTECOUNTS", TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; return;
+ show +
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
} stripcount=TIFFNumberOfStrips(input); for(i=0;i<stripcount;i++){ k += sbc[i]; } if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ if(t2p->tiff_dataoffset != 0){ if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ if(t2p->tiff_datasize < k) { t2p->pdf_ojpegiflength=t2p->tiff_datasize; t2p->tiff_datasize+=k; t2p->tiff_datasize+=6; t2p->tiff_datasize+=2*stripcount; TIFFWarning(TIFF2PDF_MODULE, "Input file %s has short JPEG interchange file byte count", TIFFFileName(input)); return; } return;
+ show +
55
56
57
58
59
60
61
62
63
64
}else { TIFFError(TIFF2PDF_MODULE, "Input file %s missing field: TIFFTAG_JPEGIFBYTECOUNT", TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; return; } } } t2p->tiff_datasize+=k;

[libtiff_CVE-2012-2113_1339796671_t2p_read_tiff_size.diff] t2p_read_tiff_size_OLD.c #3
} } } - t2p->tiff_datasize+=k; - t2p->tiff_datasize+=2*stripcount; - t2p->tiff_datasize+=2048; + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, 2048, t2p); + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } #endif
.\cloneFuncs\totalClone\Type-1\CVE-2012-2113_before_1mo_1306861030_t2p_read_tiff_size.c
51
52
53
54
55
56
57
58
59
60
TIFFFileName(input)); return; } return; }else { TIFFError(TIFF2PDF_MODULE, "Input file %s missing field: TIFFTAG_JPEGIFBYTECOUNT", TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; return;
+ show +
61
62
63
64
65
66
67
68
69
} } } t2p->tiff_datasize+=k; t2p->tiff_datasize+=2*stripcount; t2p->tiff_datasize+=2048; return; } #endif
+ show +
70
71
72
73
74
75
76
77
78
79
#ifdef JPEG_SUPPORT if(t2p->tiff_compression == COMPRESSION_JPEG) { uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ if(count > 4){ t2p->tiff_datasize += count; t2p->tiff_datasize -= 2; /* don't use EOI of header */ } } else { t2p->tiff_datasize = 2; /* SOI for first strip */

[libtiff_CVE-2012-2113_1339796671_t2p_read_tiff_size.diff] t2p_read_tiff_size_OLD.c #4
uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ if(count > 4){ - t2p->tiff_datasize += count; - t2p->tiff_datasize -= 2; /* don't use EOI of header */ + k += count; + k -= 2; /* don't use EOI of header */ } } else { - t2p->tiff_datasize = 2; /* SOI for first strip */ + k = 2; /* SOI for first strip */ } stripcount=TIFFNumberOfStrips(input); if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){
.\cloneFuncs\totalClone\Type-1\CVE-2012-2113_before_1mo_1306861030_t2p_read_tiff_size.c
62
63
64
65
66
67
68
69
70
71
} } t2p->tiff_datasize+=k; t2p->tiff_datasize+=2*stripcount; t2p->tiff_datasize+=2048; return; } #endif #ifdef JPEG_SUPPORT if(t2p->tiff_compression == COMPRESSION_JPEG) {
+ show +
72
73
74
75
76
77
78
79
80
81
82
uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ if(count > 4){ t2p->tiff_datasize += count; t2p->tiff_datasize -= 2; /* don't use EOI of header */ } } else { t2p->tiff_datasize = 2; /* SOI for first strip */ } stripcount=TIFFNumberOfStrips(input); if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){
+ show +
83
84
85
86
87
88
89
90
91
92
TIFFError(TIFF2PDF_MODULE, "Input file %s missing field: TIFFTAG_STRIPBYTECOUNTS", TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; return; } for(i=0;i<stripcount;i++){ t2p->tiff_datasize += sbc[i]; t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ }

[libtiff_CVE-2012-2113_1339796671_t2p_read_tiff_size_tile.diff] t2p_read_tiff_size_tile_OLD.c #1
#ifdef JPEG_SUPPORT unsigned char* jpt; #endif + uint64 k; edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2113_before_1mo_1306861030_t2p_read_tiff_size_tile.c
1
2
3
4
void t2p_read_tiff_size_tile(T2P* t2p, TIFF* input, ttile_t tile){ uint64* tbc = NULL; uint16 edge=0;
+ show +
5
6
7
8
9
10
#ifdef JPEG_SUPPORT unsigned char* jpt; #endif edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+ show +
11
12
13
14
15
16
17
18
19
20
if(t2p->pdf_transcode==T2P_TRANSCODE_RAW){ if(edge #if defined(JPEG_SUPPORT) || defined(OJPEG_SUPPORT) && !(t2p->pdf_compression==T2P_COMPRESS_JPEG) #endif ){ t2p->tiff_datasize=TIFFTileSize(input); return; } else {

[libtiff_CVE-2012-2113_1339796671_t2p_read_tiff_size_tile.diff] t2p_read_tiff_size_tile_OLD.c #2
#endif ){ t2p->tiff_datasize=TIFFTileSize(input); + if (t2p->tiff_datasize == 0) { + /* Assume we had overflow inside TIFFTileSize */ + t2p->t2p_error = T2P_ERR_ERROR; + } return; } else { TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); - t2p->tiff_datasize=(tmsize_t)tbc[tile]; + k=tbc[tile]; #ifdef OJPEG_SUPPORT if(t2p->tiff_compression==COMPRESSION_OJPEG){ - t2p->tiff_datasize+=2048; - return; + k = checkAdd64(k, 2048, t2p); } #endif #ifdef JPEG_SUPPORT
.\cloneFuncs\totalClone\Type-1\CVE-2012-2113_before_1mo_1306861030_t2p_read_tiff_size_tile.c
6
7
8
9
10
11
12
13
14
15
unsigned char* jpt; #endif edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); if(t2p->pdf_transcode==T2P_TRANSCODE_RAW){ if(edge #if defined(JPEG_SUPPORT) || defined(OJPEG_SUPPORT) && !(t2p->pdf_compression==T2P_COMPRESS_JPEG)
+ show +
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#endif ){ t2p->tiff_datasize=TIFFTileSize(input); return; } else { TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); t2p->tiff_datasize=(tmsize_t)tbc[tile]; #ifdef OJPEG_SUPPORT if(t2p->tiff_compression==COMPRESSION_OJPEG){ t2p->tiff_datasize+=2048; return; } #endif #ifdef JPEG_SUPPORT
+ show +
30
31
32
33
34
35
36
37
38
39
if(t2p->tiff_compression==COMPRESSION_JPEG) { uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ if(count > 4){ t2p->tiff_datasize += count; t2p->tiff_datasize -= 2; /* don't use EOI of header or SOI of tile */ } } } #endif

[openssl_CVE-2012-2333_1336665832_tls1_enc.diff] tls1_enc_OLD.c #1
if (s->version >= TLS1_1_VERSION && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) { + if (bs > (int)rec->length) + return -1; rec->data += bs; /* skip the explicit IV */ rec->input += bs; rec->length -= bs;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2333_before_imd_1331666455_tls1_enc.c
210
211
212
213
214
215
216
217
218
219
} for (j=(int)(l-i); j<(int)l; j++) { if (rec->data[j] != ii) { /* Incorrect padding */ return -1; } } rec->length -=i;
+ show +
220
221
222
223
224
225
if (s->version >= TLS1_1_VERSION && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) { rec->data += bs; /* skip the explicit IV */ rec->input += bs; rec->length -= bs;
+ show +
226
227
228
229
230
231
232
} } if (pad && !send) rec->length -= pad; } return(1); }
.\cloneFuncs\totalClone\Type-3\CVE-2012-2333_before_1mo_1329923216_tls1_enc.c
207
208
209
210
211
212
213
214
215
216
} for (j=(int)(l-i); j<(int)l; j++) { if (rec->data[j] != ii) { /* Incorrect padding */ return -1; } } rec->length -=i;
+ show +
217
218
219
220
221
222
if (s->version >= TLS1_1_VERSION && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) { rec->data += bs; /* skip the explicit IV */ rec->input += bs; rec->length -= bs;
+ show +
223
224
225
226
227
228
229
} } if (pad && !send) rec->length -= pad; } return(1); }

[qemu_CVE-2012-2652_1338190074_enable_write_target.diff] enable_write_target_OLD.c #1
array_init(&(s->commits), sizeof(commit_t)); s->qcow_filename = g_malloc(1024); - get_tmp_filename(s->qcow_filename, 1024); + ret = get_tmp_filename(s->qcow_filename, 1024); + if (ret < 0) { + g_free(s->qcow_filename); + s->qcow_filename = NULL; + return ret; + } bdrv_qcow = bdrv_find_format("qcow"); options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2652_before_1mo_1325869064_enable_write_target.c
1
2
3
4
5
6
7
8
static int enable_write_target(BDRVVVFATState *s) { BlockDriver *bdrv_qcow; QEMUOptionParameter *options; int ret; int size = sector2cluster(s, s->sector_count); s->used_clusters = calloc(size, 1);
+ show +
9
10
11
12
13
14
15
array_init(&(s->commits), sizeof(commit_t)); s->qcow_filename = g_malloc(1024); get_tmp_filename(s->qcow_filename, 1024); bdrv_qcow = bdrv_find_format("qcow"); options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
+ show +
16
17
18
19
20
21
22
23
24
25
set_option_parameter_int(options, BLOCK_OPT_SIZE, s->sector_count * 512); set_option_parameter(options, BLOCK_OPT_BACKING_FILE, "fat:"); if (bdrv_create(bdrv_qcow, s->qcow_filename, options) < 0) return -1; s->qcow = bdrv_new(""); if (s->qcow == NULL) { return -1; }

[ffmpeg_CVE-2012-2775_1332549553_read_var_block_data.diff] read_var_block_data_OLD.c #1
int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); + if (*bd->opt_order > sconf->max_order) { + *bd->opt_order = sconf->max_order; + av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n"); + return AVERROR_INVALIDDATA; + } } else { *bd->opt_order = sconf->max_order; }
.\cloneFuncs\totalClone\Type-1\CVE-2012-2775_before_imd_1333812347_read_var_block_data.c
65
66
67
68
69
70
71
72
73
74
} if (get_bits1(gb)) *bd->shift_lsbs = get_bits(gb, 4) + 1; *bd->store_prev_samples = (bd->js_blocks && bd->raw_other) || *bd->shift_lsbs; if (!sconf->rlslms) { if (sconf->adapt_order) {
+ show +
75
76
77
78
79
80
int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); } else { *bd->opt_order = sconf->max_order; }
+ show +
81
82
83
84
85
86
87
88
89
90
opt_order = *bd->opt_order; if (opt_order) { int add_base; if (sconf->coef_table == 3) { add_base = 0x7F; // read coefficient 0
.\cloneFuncs\totalClone\Type-3\CVE-2012-2775_before_1mo_1329510506_read_var_block_data.c
60
61
62
63
64
65
66
67
68
69
} if (get_bits1(gb)) *bd->shift_lsbs = get_bits(gb, 4) + 1; *bd->store_prev_samples = (bd->js_blocks && bd->raw_other) || *bd->shift_lsbs; if (!sconf->rlslms) { if (sconf->adapt_order) {
+ show +
70
71
72
73
74
75
int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); } else { *bd->opt_order = sconf->max_order; }
+ show +
76
77
78
79
80
81
82
83
84
85
opt_order = *bd->opt_order; if (opt_order) { int add_base; if (sconf->coef_table == 3) { add_base = 0x7F; // read coefficient 0

[ffmpeg_CVE-2012-2790_1334506032_read_var_block_data.diff] read_var_block_data_OLD.c #1
int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i; // read most significant bits unsigned int high;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2775_before_imd_1333812347_read_var_block_data.c
158
159
160
161
162
163
164
165
166
167
if (opt_order > 1) bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max)); if (opt_order > 2) bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max)); start = FFMIN(opt_order, 3); } // read all residuals if (sconf->bgmc) {
+ show +
168
169
170
171
172
173
174
int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); unsigned int i; // read most significant bits unsigned int high;
+ show +
175
176
177
178
179
180
181
182
183
184
unsigned int low; unsigned int value; ff_bgmc_decode_init(gb, &high, &low, &value); current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb];
.\cloneFuncs\totalClone\Type-1\CVE-2012-2790_before_imd_1331481383_read_var_block_data.c
167
168
169
170
171
172
173
174
175
176
if (opt_order > 1) bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max)); if (opt_order > 2) bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max)); start = FFMIN(opt_order, 3); } // read all residuals if (sconf->bgmc) {
+ show +
177
178
179
180
181
182
183
int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); unsigned int i; // read most significant bits unsigned int high;
+ show +
184
185
186
187
188
189
190
191
192
193
unsigned int low; unsigned int value; ff_bgmc_decode_init(gb, &high, &low, &value); current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb];
.\cloneFuncs\totalClone\Type-3\CVE-2012-2775_after_imd_1330492217_read_var_block_data.c
167
168
169
170
171
172
173
174
175
176
if (opt_order > 1) bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max)); if (opt_order > 2) bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max)); start = FFMIN(opt_order, 3); } // read all residuals if (sconf->bgmc) {
+ show +
177
178
179
180
181
182
183
int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); unsigned int i; // read most significant bits unsigned int high;
+ show +
184
185
186
187
188
189
190
191
192
193
unsigned int low; unsigned int value; ff_bgmc_decode_init(gb, &high, &low, &value); current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb];

[ffmpeg_CVE-2012-2790_1334506032_read_var_block_data.diff] read_var_block_data_OLD.c #2
current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { + unsigned int sb_len = sb_length - (sb ? 0 : start); + k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; - ff_bgmc_decode(gb, sb_length, current_res, + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); - current_res += sb_length; + current_res += sb_len; } ff_bgmc_decode_end(gb); // read least significant bits and tails - i = start; current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++, start = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; - for (; i < sb_length; i++) { + for (; start < sb_length; start++) { int32_t res = *current_res; if (res == cur_tail_code) {
.\cloneFuncs\totalClone\Type-1\CVE-2012-2775_before_imd_1333812347_read_var_block_data.c
170
171
172
173
174
175
176
177
178
179
unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); unsigned int i; // read most significant bits unsigned int high; unsigned int low; unsigned int value; ff_bgmc_decode_init(gb, &high, &low, &value);
+ show +
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; ff_bgmc_decode(gb, sb_length, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); current_res += sb_length; } ff_bgmc_decode_end(gb); // read least significant bits and tails i = start; current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++, i = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; for (; i < sb_length; i++) { int32_t res = *current_res; if (res == cur_tail_code) {
+ show +
208
209
210
211
212
213
214
215
216
217
unsigned int max_msb = (2 + (sx[sb] > 2) + (sx[sb] > 10)) << (5 - delta[sb]); res = decode_rice(gb, cur_s); if (res >= 0) { res += (max_msb ) << cur_k; } else { res -= (max_msb - 1) << cur_k; }
.\cloneFuncs\totalClone\Type-1\CVE-2012-2790_before_imd_1331481383_read_var_block_data.c
179
180
181
182
183
184
185
186
187
188
unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); unsigned int i; // read most significant bits unsigned int high; unsigned int low; unsigned int value; ff_bgmc_decode_init(gb, &high, &low, &value);
+ show +
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; ff_bgmc_decode(gb, sb_length, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); current_res += sb_length; } ff_bgmc_decode_end(gb); // read least significant bits and tails i = start; current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++, i = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; for (; i < sb_length; i++) { int32_t res = *current_res; if (res == cur_tail_code) {
+ show +
217
218
219
220
221
222
223
224
225
226
unsigned int max_msb = (2 + (sx[sb] > 2) + (sx[sb] > 10)) << (5 - delta[sb]); res = decode_rice(gb, cur_s); if (res >= 0) { res += (max_msb ) << cur_k; } else { res -= (max_msb - 1) << cur_k; }
.\cloneFuncs\totalClone\Type-3\CVE-2012-2775_after_imd_1330492217_read_var_block_data.c
179
180
181
182
183
184
185
186
187
188
unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); unsigned int i; // read most significant bits unsigned int high; unsigned int low; unsigned int value; ff_bgmc_decode_init(gb, &high, &low, &value);
+ show +
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; ff_bgmc_decode(gb, sb_length, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); current_res += sb_length; } ff_bgmc_decode_end(gb); // read least significant bits and tails i = start; current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++, i = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; for (; i < sb_length; i++) { int32_t res = *current_res; if (res == cur_tail_code) {
+ show +
217
218
219
220
221
222
223
224
225
226
unsigned int max_msb = (2 + (sx[sb] > 2) + (sx[sb] > 10)) << (5 - delta[sb]); res = decode_rice(gb, cur_s); if (res >= 0) { res += (max_msb ) << cur_k; } else { res -= (max_msb - 1) << cur_k; }

[ffmpeg_CVE-2012-2776_1348907989_decode_cell_data.diff] decode_cell_data_OLD.c #1
blk_row_offset = (row_offset << (2 + v_zoom)) - (cell->width << 2); line_offset = v_zoom ? row_offset : 0; + if (cell->height & v_zoom || cell->width & h_zoom) + return IV3_BAD_DATA; + for (y = 0; y < cell->height; is_first_row = 0, y += 1 + v_zoom) { for (x = 0; x < cell->width; x += 1 + h_zoom) { ref = ref_block;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2776_before_1mo_1337017614_decode_cell_data.c
6
7
8
9
10
11
12
13
14
15
int x, y, line, num_lines; int rle_blocks = 0; uint8_t code, *dst, *ref; const vqEntry *delta_tab; unsigned int dyad1, dyad2; uint64_t pix64; int skip_flag = 0, is_top_of_cell, is_first_row = 1; int row_offset, blk_row_offset, line_offset; row_offset = pitch;
+ show +
16
17
18
19
20
21
blk_row_offset = (row_offset << (2 + v_zoom)) - (cell->width << 2); line_offset = v_zoom ? row_offset : 0; for (y = 0; y < cell->height; is_first_row = 0, y += 1 + v_zoom) { for (x = 0; x < cell->width; x += 1 + h_zoom) { ref = ref_block;
+ show +
22
23
24
25
26
27
28
29
30
31
dst = block; if (rle_blocks > 0) { if (mode <= 4) { RLE_BLOCK_COPY; } else if (mode == 10 && !cell->mv_ptr) { RLE_BLOCK_COPY_8; } rle_blocks--; } else {

[ffmpeg_CVE-2012-2779_1332607435_ff_ivi_decode_frame.diff] ff_ivi_decode_frame_OLD.c #1
"Error while decoding picture header: %d\n", result); return -1; } + if (ctx->gop_invalid) + return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n");
.\cloneFuncs\totalClone\Type-1\CVE-2012-2779_before_imd_1344157864_ff_ivi_decode_frame.c
6
7
8
9
10
11
12
13
14
15
int buf_size = avpkt->size; int result, p, b; init_get_bits(&ctx->gb, buf, buf_size * 8); ctx->frame_data = buf; ctx->frame_size = buf_size; result = ctx->decode_pic_hdr(ctx, avctx); if (result) { av_log(avctx, AV_LOG_ERROR,
+ show +
16
17
18
19
20
21
"Error while decoding picture header: %d\n", result); return -1; } if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n");
+ show +
22
23
24
25
26
27
28
29
30
31
return -1; } ctx->switch_buffers(ctx); //{ START_TIMER; if (ctx->is_nonnull_frame(ctx)) { for (p = 0; p < 3; p++) { for (b = 0; b < ctx->planes[p].num_bands; b++) {

[ffmpeg_CVE-2012-2787_1334426645_ff_ivi_decode_frame.diff] ff_ivi_decode_frame_OLD.c #1
avctx->release_buffer(avctx, &ctx->frame); ctx->frame.reference = 0; + avcodec_set_dimensions(avctx, ctx->planes[0].width, ctx->planes[0].height); if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return result;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2779_before_imd_1344157864_ff_ivi_decode_frame.c
45
46
47
48
49
50
51
52
53
54
/* be sent together. Unfortunately the approach below seems to be the only way */ /* to handle the B-frames mode. That's exactly the same Intel decoders do. */ if (avctx->codec_id == AV_CODEC_ID_INDEO4 && ctx->frame_type == 0/*FRAMETYPE_INTRA*/) { while (get_bits(&ctx->gb, 8)); // skip version string skip_bits_long(&ctx->gb, 64); // skip padding, TODO: implement correct 8-bytes alignment if (get_bits_left(&ctx->gb) > 18 && show_bits(&ctx->gb, 18) == 0x3FFF8) av_log(avctx, AV_LOG_ERROR, "Buffer contains IP frames!\n"); } if (ctx->frame.data[0])
+ show +
55
56
57
58
59
60
avctx->release_buffer(avctx, &ctx->frame); ctx->frame.reference = 0; if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return result;
+ show +
61
62
63
64
65
66
67
68
69
70
} if (ctx->is_scalable) { if (avctx->codec_id == AV_CODEC_ID_INDEO4) ff_ivi_recompose_haar(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0], 4); else ff_ivi_recompose53 (&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0], 4); } else { ff_ivi_output_plane(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0]); }
.\cloneFuncs\totalClone\Type-1\CVE-2012-2787_before_imd_1332607435_ff_ivi_decode_frame.c
47
48
49
50
51
52
53
54
55
56
/* be sent together. Unfortunately the approach below seems to be the only way */ /* to handle the B-frames mode. That's exactly the same Intel decoders do. */ if (avctx->codec_id == AV_CODEC_ID_INDEO4 && ctx->frame_type == 0/*FRAMETYPE_INTRA*/) { while (get_bits(&ctx->gb, 8)); // skip version string skip_bits_long(&ctx->gb, 64); // skip padding, TODO: implement correct 8-bytes alignment if (get_bits_left(&ctx->gb) > 18 && show_bits(&ctx->gb, 18) == 0x3FFF8) av_log(avctx, AV_LOG_ERROR, "Buffer contains IP frames!\n"); } if (ctx->frame.data[0])
+ show +
57
58
59
60
61
62
avctx->release_buffer(avctx, &ctx->frame); ctx->frame.reference = 0; if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return result;
+ show +
63
64
65
66
67
68
69
70
71
72
} if (ctx->is_scalable) { if (avctx->codec_id == AV_CODEC_ID_INDEO4) ff_ivi_recompose_haar(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0], 4); else ff_ivi_recompose53 (&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0], 4); } else { ff_ivi_output_plane(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0]); }

[ffmpeg_CVE-2012-2782_1346931008_decode_slice_header.diff] decode_slice_header_OLD.c #1
unsigned int slice_type, tmp, i, j; int default_ref_list_done = 0; int last_pic_structure, last_pic_droppable; + int needs_reinit = 0; + enum AVPixelFormat pix_fmt; /* FIXME: 2tap qpel isn't implemented for high bit depth. */ if ((s->avctx->flags2 & CODEC_FLAG2_FAST) &&
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_before_imd_1353879727_decode_slice_header.c
1
2
3
4
5
6
7
static int decode_slice_header(H264Context *h, H264Context *h0) { MpegEncContext *const s = &h->s; MpegEncContext *const s0 = &h0->s; unsigned int first_mb_in_slice; unsigned int pps_id; int num_ref_idx_active_override_flag, max_refs, ret;
+ show +
8
9
10
11
12
13
unsigned int slice_type, tmp, i, j; int default_ref_list_done = 0; int last_pic_structure, last_pic_droppable; /* FIXME: 2tap qpel isn't implemented for high bit depth. */ if ((s->avctx->flags2 & CODEC_FLAG2_FAST) &&
+ show +
14
15
16
17
18
19
20
21
22
23
!h->nal_ref_idc && !h->pixel_shift) { s->me.qpel_put = s->dsp.put_2tap_qpel_pixels_tab; s->me.qpel_avg = s->dsp.avg_2tap_qpel_pixels_tab; } else { s->me.qpel_put = s->dsp.put_h264_qpel_pixels_tab; s->me.qpel_avg = s->dsp.avg_h264_qpel_pixels_tab; } first_mb_in_slice = get_ue_golomb(&s->gb);

[ffmpeg_CVE-2012-2782_1346931008_decode_slice_header.diff] decode_slice_header_OLD.c #2
} if (h->pps.sps_id != h->current_sps_id || + h->context_reinitialized || h0->sps_buffers[h->pps.sps_id]->new) { h0->sps_buffers[h->pps.sps_id]->new = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_before_imd_1353879727_decode_slice_header.c
72
73
74
75
76
77
78
79
80
81
pps_id); return -1; } h->pps = *h0->pps_buffers[pps_id]; if (!h0->sps_buffers[h->pps.sps_id]) { av_log(h->s.avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id); return -1;
+ show +
82
83
84
85
86
} if (h->pps.sps_id != h->current_sps_id || h0->sps_buffers[h->pps.sps_id]->new) { h0->sps_buffers[h->pps.sps_id]->new = 0;
+ show +
87
88
89
90
91
92
93
94
95
96
h->current_sps_id = h->pps.sps_id; h->sps = *h0->sps_buffers[h->pps.sps_id]; if ((ret = h264_set_parameter_from_sps(h)) < 0) return ret; } s->avctx->profile = ff_h264_get_profile(&h->sps); s->avctx->level = h->sps.level_idc;
.\cloneFuncs\totalClone\Type-4\CVE-2012-2782_after_6mo_1362392468_decode_slice_header.c
64
65
66
67
68
69
70
71
72
73
pps_id); return -1; } h->pps = *h0->pps_buffers[pps_id]; if (!h0->sps_buffers[h->pps.sps_id]) { av_log(h->avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id); return -1;
+ show +
74
75
76
77
78
} if (h->pps.sps_id != h->current_sps_id || h0->sps_buffers[h->pps.sps_id]->new) { h0->sps_buffers[h->pps.sps_id]->new = 0;
+ show +
79
80
81
82
83
84
85
86
87
88
h->current_sps_id = h->pps.sps_id; h->sps = *h0->sps_buffers[h->pps.sps_id]; if (h->bit_depth_luma != h->sps.bit_depth_luma || h->chroma_format_idc != h->sps.chroma_format_idc) { h->bit_depth_luma = h->sps.bit_depth_luma; h->chroma_format_idc = h->sps.chroma_format_idc; needs_reinit = 1; }
.\cloneFuncs\totalClone\Type-4\CVE-2012-2782_after_6mo_1362608829_decode_slice_header.c
67
68
69
70
71
72
73
74
75
76
pps_id); return -1; } h->pps = *h0->pps_buffers[pps_id]; if (!h0->sps_buffers[h->pps.sps_id]) { av_log(h->avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id); return -1;
+ show +
77
78
79
80
81
} if (h->pps.sps_id != h->current_sps_id || h0->sps_buffers[h->pps.sps_id]->new) { h0->sps_buffers[h->pps.sps_id]->new = 0;
+ show +
82
83
84
85
86
87
88
89
90
91
h->current_sps_id = h->pps.sps_id; h->sps = *h0->sps_buffers[h->pps.sps_id]; if (h->mb_width != h->sps.mb_width || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) || h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc ) needs_reinit = 1;

[ffmpeg_CVE-2012-2782_1346931008_decode_slice_header.diff] decode_slice_header_OLD.c #3
s->avctx->level = h->sps.level_idc; s->avctx->refs = h->sps.ref_frame_count; + if (s->mb_width != h->sps.mb_width || + s->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag)) + needs_reinit = 1; + s->mb_width = h->sps.mb_width; s->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_before_imd_1353879727_decode_slice_header.c
86
87
88
89
90
91
92
93
94
95
h0->sps_buffers[h->pps.sps_id]->new = 0; h->current_sps_id = h->pps.sps_id; h->sps = *h0->sps_buffers[h->pps.sps_id]; if ((ret = h264_set_parameter_from_sps(h)) < 0) return ret; } s->avctx->profile = ff_h264_get_profile(&h->sps);
+ show +
96
97
98
99
100
s->avctx->level = h->sps.level_idc; s->avctx->refs = h->sps.ref_frame_count; s->mb_width = h->sps.mb_width; s->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag);
+ show +
101
102
103
104
105
106
107
108
109
110
h->b_stride = s->mb_width * 4; s->chroma_y_shift = h->sps.chroma_format_idc <= 1; // 400 uses yuv420p s->width = 16 * s->mb_width - (2 >> CHROMA444) * FFMIN(h->sps.crop_right, (8 << CHROMA444) - 1); if (h->sps.frame_mbs_only_flag) s->height = 16 * s->mb_height - (1 << s->chroma_y_shift) * FFMIN(h->sps.crop_bottom, (16 >> s->chroma_y_shift) - 1); else s->height = 16 * s->mb_height - (2 << s->chroma_y_shift) * FFMIN(h->sps.crop_bottom, (16 >> s->chroma_y_shift) - 1);
.\cloneFuncs\totalClone\Type-3\CVE-2012-2782_before_1mo_1343015170_decode_slice_header.c
76
77
78
79
80
81
82
83
84
85
if (!h0->sps_buffers[h->pps.sps_id]) { av_log(h->s.avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id); return -1; } h->sps = *h0->sps_buffers[h->pps.sps_id]; s->avctx->profile = ff_h264_get_profile(&h->sps);
+ show +
86
87
88
89
90
s->avctx->level = h->sps.level_idc; s->avctx->refs = h->sps.ref_frame_count; s->mb_width = h->sps.mb_width; s->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag);
+ show +
91
92
93
94
95
96
97
98
99
100
h->b_stride = s->mb_width * 4; s->chroma_y_shift = h->sps.chroma_format_idc <= 1; // 400 uses yuv420p s->width = 16 * s->mb_width - (2 >> CHROMA444) * FFMIN(h->sps.crop_right, (8 << CHROMA444) - 1); if (h->sps.frame_mbs_only_flag) s->height = 16 * s->mb_height - (1 << s->chroma_y_shift) * FFMIN(h->sps.crop_bottom, (16 >> s->chroma_y_shift) - 1); else s->height = 16 * s->mb_height - (2 << s->chroma_y_shift) * FFMIN(h->sps.crop_bottom, (16 >> s->chroma_y_shift) - 1);

[ffmpeg_CVE-2012-2782_1346931008_decode_slice_header.diff] decode_slice_header_OLD.c #4
s->height = s->avctx->height; } + if (h->sps.video_signal_type_present_flag) { + s->avctx->color_range = h->sps.full_range ? AVCOL_RANGE_JPEG + : AVCOL_RANGE_MPEG; + if (h->sps.colour_description_present_flag) { + s->avctx->color_primaries = h->sps.color_primaries; + s->avctx->color_trc = h->sps.color_trc; + s->avctx->colorspace = h->sps.colorspace; + } + } + + ret = get_pixel_format(h); + if (ret < 0) + return ret; + else + pix_fmt = ret; + if (s->avctx->pix_fmt == PIX_FMT_NONE) + s->avctx->pix_fmt = pix_fmt; + if (s->context_initialized && - (s->width != s->avctx->width || s->height != s->avctx->height || + (s->width != s->avctx->width || + s->height != s->avctx->height || + pix_fmt != s->avctx->pix_fmt || + needs_reinit || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { - if (h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) { - av_log_missing_feature(s->avctx, - "Width/height changing with threads", 0); - return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding - } - free_tables(h, 0); - flush_dpb(s->avctx); - ff_MPV_common_end(s); - } - if (!s->context_initialized) { + if (h != h0) { - av_log(h->s.avctx, AV_LOG_ERROR, - "Cannot (re-)initialize context during parallel decoding.\n"); - return -1; + av_log(s->avctx, AV_LOG_ERROR, "changing width/height on " + "slice %d\n", h0->current_slice + 1); + return AVERROR_INVALIDDATA; } - avcodec_set_dimensions(s->avctx, s->width, s->height); - s->avctx->sample_aspect_ratio = h->sps.sar; - av_assert0(s->avctx->sample_aspect_ratio.den); - - if (h->sps.video_signal_type_present_flag) { - s->avctx->color_range = h->sps.full_range ? AVCOL_RANGE_JPEG - : AVCOL_RANGE_MPEG; - if (h->sps.colour_description_present_flag) { - s->avctx->color_primaries = h->sps.color_primaries; - s->avctx->color_trc = h->sps.color_trc; - s->avctx->colorspace = h->sps.colorspace; - } - } + av_log(h->s.avctx, AV_LOG_INFO, "Reinit context to %dx%d, " + "pix_fmt: %d\n", s->width, s->height, pix_fmt); - if (h->sps.timing_info_present_flag) { - int64_t den = h->sps.time_scale; - if (h->x264_build < 44U) - den *= 2; - av_reduce(&s->avctx->time_base.num, &s->avctx->time_base.den, - h->sps.num_units_in_tick, den, 1 << 30); - } - - switch (h->sps.bit_depth_luma) { - case 9: - if (CHROMA444) { - if (s->avctx->colorspace == AVCOL_SPC_RGB) { - s->avctx->pix_fmt = AV_PIX_FMT_GBRP9; - } else - s->avctx->pix_fmt = AV_PIX_FMT_YUV444P9; - } else if (CHROMA422) - s->avctx->pix_fmt = AV_PIX_FMT_YUV422P9; - else - s->avctx->pix_fmt = AV_PIX_FMT_YUV420P9; - break; - case 10: - if (CHROMA444) { - if (s->avctx->colorspace == AVCOL_SPC_RGB) { - s->avctx->pix_fmt = AV_PIX_FMT_GBRP10; - } else - s->avctx->pix_fmt = AV_PIX_FMT_YUV444P10; - } else if (CHROMA422) - s->avctx->pix_fmt = AV_PIX_FMT_YUV422P10; - else - s->avctx->pix_fmt = AV_PIX_FMT_YUV420P10; - break; - case 8: - if (CHROMA444) { - if (s->avctx->colorspace == AVCOL_SPC_RGB) { - s->avctx->pix_fmt = AV_PIX_FMT_GBRP; - } else - s->avctx->pix_fmt = s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ444P - : AV_PIX_FMT_YUV444P; - } else if (CHROMA422) { - s->avctx->pix_fmt = s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ422P - : AV_PIX_FMT_YUV422P; - } else { - s->avctx->pix_fmt = s->avctx->get_format(s->avctx, - s->avctx->codec->pix_fmts ? - s->avctx->codec->pix_fmts : - s->avctx->color_range == AVCOL_RANGE_JPEG ? - hwaccel_pixfmt_list_h264_jpeg_420 : - ff_hwaccel_pixfmt_list_420); - } - break; - default: - av_log(s->avctx, AV_LOG_ERROR, - "Unsupported bit depth: %d\n", h->sps.bit_depth_luma); - return AVERROR_INVALIDDATA; - } + flush_change(h); - s->avctx->hwaccel = ff_find_hwaccel(s->avctx->codec->id, - s->avctx->pix_fmt); + s->avctx->pix_fmt = pix_fmt; - if (ff_MPV_common_init(s) < 0) { - av_log(h->s.avctx, AV_LOG_ERROR, "ff_MPV_common_init() failed.\n"); - return -1; + if ((ret = h264_slice_header_init(h, 1)) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, + "h264_slice_header_init() failed\n"); + return ret; } - s->first_field = 0; - h->prev_interlaced_frame = 1; - - init_scan_tables(h); - if (ff_h264_alloc_tables(h) < 0) { + h->context_reinitialized = 1; + } + if (!s->context_initialized) { + if (h != h0) { av_log(h->s.avctx, AV_LOG_ERROR, - "Could not allocate memory for h264\n"); - return AVERROR(ENOMEM); + "Cannot (re-)initialize context during parallel decoding.\n"); + return -1; } - - if (!HAVE_THREADS || !(s->avctx->active_thread_type & FF_THREAD_SLICE)) { - if (context_init(h) < 0) { - av_log(h->s.avctx, AV_LOG_ERROR, "context_init() failed.\n"); - return -1; - } - } else { - for (i = 1; i < s->slice_context_count; i++) { - H264Context *c; - c = h->thread_context[i] = av_malloc(sizeof(H264Context)); - memcpy(c, h->s.thread_context[i], sizeof(MpegEncContext)); - memset(&c->s + 1, 0, sizeof(H264Context) - sizeof(MpegEncContext)); - c->h264dsp = h->h264dsp; - c->sps = h->sps; - c->pps = h->pps; - c->pixel_shift = h->pixel_shift; - init_scan_tables(c); - clone_tables(c, h, i); - } - - for (i = 0; i < s->slice_context_count; i++) - if (context_init(h->thread_context[i]) < 0) { - av_log(h->s.avctx, AV_LOG_ERROR, - "context_init() failed.\n"); - return -1; - } + if ((ret = h264_slice_header_init(h, 0)) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, + "h264_slice_header_init() failed\n"); + return ret; } }
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_before_imd_1353879727_decode_slice_header.c
105
106
107
108
109
110
111
112
113
114
s->width = 16 * s->mb_width - (2 >> CHROMA444) * FFMIN(h->sps.crop_right, (8 << CHROMA444) - 1); if (h->sps.frame_mbs_only_flag) s->height = 16 * s->mb_height - (1 << s->chroma_y_shift) * FFMIN(h->sps.crop_bottom, (16 >> s->chroma_y_shift) - 1); else s->height = 16 * s->mb_height - (2 << s->chroma_y_shift) * FFMIN(h->sps.crop_bottom, (16 >> s->chroma_y_shift) - 1); if (FFALIGN(s->avctx->width, 16) == s->width && FFALIGN(s->avctx->height, 16) == s->height) { s->width = s->avctx->width;
+ show +
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
s->height = s->avctx->height; } if (s->context_initialized && (s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { if (h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) { av_log_missing_feature(s->avctx, "Width/height changing with threads", 0); return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } free_tables(h, 0); flush_dpb(s->avctx); ff_MPV_common_end(s); } if (!s->context_initialized) { if (h != h0) { av_log(h->s.avctx, AV_LOG_ERROR, "Cannot (re-)initialize context during parallel decoding.\n"); return -1; } avcodec_set_dimensions(s->avctx, s->width, s->height); s->avctx->sample_aspect_ratio = h->sps.sar; av_assert0(s->avctx->sample_aspect_ratio.den); if (h->sps.video_signal_type_present_flag) { s->avctx->color_range = h->sps.full_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; if (h->sps.colour_description_present_flag) { s->avctx->color_primaries = h->sps.color_primaries; s->avctx->color_trc = h->sps.color_trc; s->avctx->colorspace = h->sps.colorspace; } } if (h->sps.timing_info_present_flag) { int64_t den = h->sps.time_scale; if (h->x264_build < 44U) den *= 2; av_reduce(&s->avctx->time_base.num, &s->avctx->time_base.den, h->sps.num_units_in_tick, den, 1 << 30); } switch (h->sps.bit_depth_luma) { case 9: if (CHROMA444) { if (s->avctx->colorspace == AVCOL_SPC_RGB) { s->avctx->pix_fmt = AV_PIX_FMT_GBRP9; } else s->avctx->pix_fmt = AV_PIX_FMT_YUV444P9; } else if (CHROMA422) s->avctx->pix_fmt = AV_PIX_FMT_YUV422P9; else s->avctx->pix_fmt = AV_PIX_FMT_YUV420P9; break; case 10: if (CHROMA444) { if (s->avctx->colorspace == AVCOL_SPC_RGB) { s->avctx->pix_fmt = AV_PIX_FMT_GBRP10; } else s->avctx->pix_fmt = AV_PIX_FMT_YUV444P10; } else if (CHROMA422) s->avctx->pix_fmt = AV_PIX_FMT_YUV422P10; else s->avctx->pix_fmt = AV_PIX_FMT_YUV420P10; break; case 8: if (CHROMA444) { if (s->avctx->colorspace == AVCOL_SPC_RGB) { s->avctx->pix_fmt = AV_PIX_FMT_GBRP; } else s->avctx->pix_fmt = s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ444P : AV_PIX_FMT_YUV444P; } else if (CHROMA422) { s->avctx->pix_fmt = s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ422P : AV_PIX_FMT_YUV422P; } else { s->avctx->pix_fmt = s->avctx->get_format(s->avctx, s->avctx->codec->pix_fmts ? s->avctx->codec->pix_fmts : s->avctx->color_range == AVCOL_RANGE_JPEG ? hwaccel_pixfmt_list_h264_jpeg_420 : ff_hwaccel_pixfmt_list_420); } break; default: av_log(s->avctx, AV_LOG_ERROR, "Unsupported bit depth: %d\n", h->sps.bit_depth_luma); return AVERROR_INVALIDDATA; } s->avctx->hwaccel = ff_find_hwaccel(s->avctx->codec->id, s->avctx->pix_fmt); if (ff_MPV_common_init(s) < 0) { av_log(h->s.avctx, AV_LOG_ERROR, "ff_MPV_common_init() failed.\n"); return -1; } s->first_field = 0; h->prev_interlaced_frame = 1; init_scan_tables(h); if (ff_h264_alloc_tables(h) < 0) { av_log(h->s.avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n"); return AVERROR(ENOMEM); } if (!HAVE_THREADS || !(s->avctx->active_thread_type & FF_THREAD_SLICE)) { if (context_init(h) < 0) { av_log(h->s.avctx, AV_LOG_ERROR, "context_init() failed.\n"); return -1; } } else { for (i = 1; i < s->slice_context_count; i++) { H264Context *c; c = h->thread_context[i] = av_malloc(sizeof(H264Context)); memcpy(c, h->s.thread_context[i], sizeof(MpegEncContext)); memset(&c->s + 1, 0, sizeof(H264Context) - sizeof(MpegEncContext)); c->h264dsp = h->h264dsp; c->sps = h->sps; c->pps = h->pps; c->pixel_shift = h->pixel_shift; init_scan_tables(c); clone_tables(c, h, i); } for (i = 0; i < s->slice_context_count; i++) if (context_init(h->thread_context[i]) < 0) { av_log(h->s.avctx, AV_LOG_ERROR, "context_init() failed.\n"); return -1; } } }
+ show +
251
252
253
254
255
256
257
258
259
260
if (h == h0 && h->dequant_coeff_pps != pps_id) { h->dequant_coeff_pps = pps_id; init_dequant_tables(h); } h->frame_num = get_bits(&s->gb, h->sps.log2_max_frame_num); h->mb_mbaff = 0; h->mb_aff_frame = 0;

[ffmpeg_CVE-2012-2782_1346931008_decode_update_thread_context.diff] decode_update_thread_context_OLD.c #1
if (dst == src || !s1->context_initialized) return 0; + if (inited && + (s->width != s1->width || + s->height != s1->height || + s->mb_width != s1->mb_width || + s->mb_height != s1->mb_height || + h->sps.bit_depth_luma != h1->sps.bit_depth_luma || + h->sps.chroma_format_idc != h1->sps.chroma_format_idc || + h->sps.colorspace != h1->sps.colorspace)) { + + av_freep(&h->bipred_scratchpad); + + s->width = s1->width; + s->height = s1->height; + s->mb_height = s1->mb_height; + h->b_stride = h1->b_stride; + + if ((err = h264_slice_header_init(h, 1)) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "h264_slice_header_init() failed"); + return err; + } + h->context_reinitialized = 1; + + /* update linesize on resize for h264. The h264 decoder doesn't + * necessarily call ff_MPV_frame_start in the new thread */ + s->linesize = s1->linesize; + s->uvlinesize = s1->uvlinesize; + + /* copy block_offset since frame_start may not be called */ + memcpy(h->block_offset, h1->block_offset, sizeof(h->block_offset)); + h264_set_parameter_from_sps(h); + } + err = ff_mpeg_update_thread_context(dst, src); if (err) return err; - // FIXME handle width/height changing if (!inited) { for (i = 0; i < MAX_SPS_COUNT; i++) av_freep(h->sps_buffers + i);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_before_imd_1353879727_decode_update_thread_context.c
1
2
3
4
5
6
7
8
static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContext *src) { H264Context *h = dst->priv_data, *h1 = src->priv_data; MpegEncContext *const s = &h->s, *const s1 = &h1->s; int inited = s->context_initialized, err; int i;
+ show +
9
10
11
12
13
14
15
16
17
18
19
if (dst == src || !s1->context_initialized) return 0; err = ff_mpeg_update_thread_context(dst, src); if (err) return err; // FIXME handle width/height changing if (!inited) { for (i = 0; i < MAX_SPS_COUNT; i++) av_freep(h->sps_buffers + i);
+ show +
20
21
22
23
24
25
26
27
28
29
for (i = 0; i < MAX_PPS_COUNT; i++) av_freep(h->pps_buffers + i); // copy all fields after MpegEnc memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); if (ff_h264_alloc_tables(h) < 0) {
.\cloneFuncs\totalClone\Type-3\CVE-2012-2782_before_1mo_1343015170_decode_update_thread_context.c
1
2
3
4
5
6
7
8
static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContext *src) { H264Context *h = dst->priv_data, *h1 = src->priv_data; MpegEncContext *const s = &h->s, *const s1 = &h1->s; int inited = s->context_initialized, err; int i;
+ show +
9
10
11
12
13
14
15
16
17
18
19
if (dst == src || !s1->context_initialized) return 0; err = ff_mpeg_update_thread_context(dst, src); if (err) return err; // FIXME handle width/height changing if (!inited) { for (i = 0; i < MAX_SPS_COUNT; i++) av_freep(h->sps_buffers + i);
+ show +
20
21
22
23
24
25
26
27
28
29
for (i = 0; i < MAX_PPS_COUNT; i++) av_freep(h->pps_buffers + i); // copy all fields after MpegEnc memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); if (ff_h264_alloc_tables(h) < 0) {

[ffmpeg_CVE-2012-2783_1355475304_ff_vp56_decode_frame.diff] ff_vp56_decode_frame_OLD.c #1
s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (res < 0) + if (res < 0) { + int i; + for (i = 0; i < 4; i++) { + if (s->frames[i].data[0]) + avctx->release_buffer(avctx, &s->frames[i]); + } return res; + } if (res == VP56_SIZE_CHANGE) { int i;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2783_before_imd_1355469726_ff_vp56_decode_frame.c
15
16
17
18
19
20
21
22
23
24
if (remaining_buf_size < alpha_offset) return -1; } for (is_alpha=0; is_alpha < 1+s->has_alpha; is_alpha++) { int mb_row, mb_col, mb_row_flip, mb_offset = 0; int block, y, uv, stride_y, stride_uv; int golden_frame = 0; int res;
+ show +
25
26
27
28
29
30
31
32
s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); if (res < 0) return res; if (res == VP56_SIZE_CHANGE) { int i;
+ show +
33
34
35
36
37
38
39
40
41
42
for (i = 0; i < 4; i++) { if (s->frames[i].data[0]) avctx->release_buffer(avctx, &s->frames[i]); } if (is_alpha) { avcodec_set_dimensions(avctx, 0, 0); return -1; } }

[ffmpeg_CVE-2012-2789_1334394431_decode_subframe.diff] decode_subframe_OLD.c #1
int num_bits = av_log2((s->subframe_len + 3)/4) + 1; for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; - s->channel[c].num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { + av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); + return AVERROR_INVALIDDATA; + } + s->channel[c].num_vec_coeffs = num_vec_coeffs; } } else { for (i = 0; i < s->channels_for_cur_subframe; i++) {
.\cloneFuncs\totalClone\Type-1\CVE-2012-2789_before_1mo_1331057230_decode_subframe.c
103
104
105
106
107
108
109
110
111
112
if ((s->channel[c].transmit_coefs = get_bits1(&s->gb))) transmit_coeffs = 1; } if (transmit_coeffs) { int step; int quant_step = 90 * s->bits_per_sample >> 4; /** decode number of vector coded coefficients */ if ((s->transmit_num_vec_coeffs = get_bits1(&s->gb))) {
+ show +
113
114
115
116
117
118
119
int num_bits = av_log2((s->subframe_len + 3)/4) + 1; for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; s->channel[c].num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; } } else { for (i = 0; i < s->channels_for_cur_subframe; i++) {
+ show +
120
121
122
123
124
125
126
127
128
129
int c = s->channel_indexes_for_cur_subframe[i]; s->channel[c].num_vec_coeffs = s->subframe_len; } } /** decode quantization step */ step = get_sbits(&s->gb, 6); quant_step += step; if (step == -32 || step == 31) { const int sign = (step == 31) - 1; int quant = 0;

[ffmpeg_CVE-2012-2791_1355423900_ivi_decode_blocks.diff] ivi_decode_blocks_OLD.c #1
} if (cbp & 1) { /* block coded ? */ + if (!band->scan) { + av_log(avctx, AV_LOG_ERROR, "Scan pattern is not set.\n"); + return AVERROR_INVALIDDATA; + } + scan_pos = -1; memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */ memset(col_flags, 0, sizeof(col_flags)); /* zero column flags */
.\cloneFuncs\totalClone\Type-1\CVE-2012-2791_before_imd_1355423502_ivi_decode_blocks.c
64
65
66
67
68
69
70
71
72
73
} } for (blk = 0; blk < num_blocks; blk++) { /* adjust block position in the buffer according to its number */ if (blk & 1) { buf_offs += blk_size; } else if (blk == 2) { buf_offs -= blk_size; buf_offs += blk_size * band->pitch;
+ show +
74
75
76
77
78
79
} if (cbp & 1) { /* block coded ? */ scan_pos = -1; memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */ memset(col_flags, 0, sizeof(col_flags)); /* zero column flags */
+ show +
80
81
82
83
84
85
86
87
88
89
while (scan_pos <= num_coeffs) { sym = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); if (sym == rvmap->eob_sym) break; /* End of block */ if (sym == rvmap->esc_sym) { /* Escape - run/val explicitly coded using 3 vlc codes */ run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1; lo = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); hi = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);

[ffmpeg_CVE-2012-2792_1348900842_decode_init.diff] decode_init_OLD.c #1
/* get frame len */ s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); + av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE); /* init previous block len */ for (i = 0; i < avctx->channels; i++)
.\cloneFuncs\totalClone\Type-1\CVE-2012-2792_before_1mo_1344157864_decode_init.c
34
35
36
37
38
39
40
41
42
43
} /* generic init */ s->log2_frame_size = av_log2(avctx->block_align) + 4; /* frame info */ s->skip_frame = 1; /* skip first frame */ s->packet_loss = 1; s->len_prefix = s->decode_flags & 0x40;
+ show +
44
45
46
47
48
49
/* get frame len */ s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); /* init previous block len */ for (i = 0; i < avctx->channels; i++)
+ show +
50
51
52
53
54
55
56
57
58
59
s->channel[i].prev_block_len = s->samples_per_frame; /* subframe info */ log2_max_num_subframes = (s->decode_flags & 0x38) >> 3; s->max_num_subframes = 1 << log2_max_num_subframes; s->max_subframe_len_bit = 0; s->subframe_len_bits = av_log2(log2_max_num_subframes) + 1; s->min_samples_per_subframe = s->samples_per_frame / s->max_num_subframes; s->dynamic_range_compression = s->decode_flags & 0x80;
.\cloneFuncs\totalClone\Type-3\CVE-2012-2792_before_6mo_1332958333_decode_init.c
34
35
36
37
38
39
40
41
42
43
} /* generic init */ s->log2_frame_size = av_log2(avctx->block_align) + 4; /* frame info */ s->skip_frame = 1; /* skip first frame */ s->packet_loss = 1; s->len_prefix = s->decode_flags & 0x40;
+ show +
44
45
46
47
48
49
/* get frame len */ s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); /* init previous block len */ for (i = 0; i < avctx->channels; i++)
+ show +
50
51
52
53
54
55
56
57
58
59
s->channel[i].prev_block_len = s->samples_per_frame; /* subframe info */ log2_max_num_subframes = (s->decode_flags & 0x38) >> 3; s->max_num_subframes = 1 << log2_max_num_subframes; s->max_subframe_len_bit = 0; s->subframe_len_bits = av_log2(log2_max_num_subframes) + 1; num_possible_block_sizes = log2_max_num_subframes + 1; s->min_samples_per_subframe = s->samples_per_frame / s->max_num_subframes;

[ffmpeg_CVE-2012-2793_1334420911_lag_decode_zero_run_line.diff] lag_decode_zero_run_line_OLD.c #1
output_zeros: if (l->zeros_rem) { count = FFMIN(l->zeros_rem, width - i); + if (end - dst < count) { + av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n"); + return AVERROR_INVALIDDATA; + } + memset(dst, 0, count); l->zeros_rem -= count; dst += count;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2793_before_imd_1344467024_lag_decode_zero_run_line.c
3
4
5
6
7
8
9
10
11
12
int width, int esc_count) { int i = 0; int count; uint8_t zero_run = 0; const uint8_t *src_start = src; uint8_t mask1 = -(esc_count < 2); uint8_t mask2 = -(esc_count < 3); uint8_t *end = dst + (width - 2);
+ show +
13
14
15
16
17
18
output_zeros: if (l->zeros_rem) { count = FFMIN(l->zeros_rem, width - i); memset(dst, 0, count); l->zeros_rem -= count; dst += count;
+ show +
19
20
21
22
23
24
25
26
27
28
} while (dst < end) { i = 0; while (!zero_run && dst + i < end) { i++; if (src + i >= src_end) return AVERROR_INVALIDDATA; zero_run = !(src[i] | (src[i + 1] & mask1) | (src[i + 2] & mask2));
.\cloneFuncs\totalClone\Type-3\CVE-2012-2793_before_1mo_1329301815_lag_decode_zero_run_line.c
3
4
5
6
7
8
9
10
11
12
int esc_count) { int i = 0; int count; uint8_t zero_run = 0; const uint8_t *start = src; uint8_t mask1 = -(esc_count < 2); uint8_t mask2 = -(esc_count < 3); uint8_t *end = dst + (width - 2);
+ show +
13
14
15
16
17
18
output_zeros: if (l->zeros_rem) { count = FFMIN(l->zeros_rem, width - i); memset(dst, 0, count); l->zeros_rem -= count; dst += count;
+ show +
19
20
21
22
23
24
25
26
27
28
} while (dst < end) { i = 0; while (!zero_run && dst + i < end) { i++; zero_run = !(src[i] | (src[i + 1] & mask1) | (src[i + 2] & mask2)); } if (zero_run) {

[ffmpeg_CVE-2012-2794_1334491910_decode_mb_info.diff] decode_mb_info_OLD.c #1
((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) return AVERROR_INVALIDDATA; + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches parameters %d\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2794_before_imd_1332607435_decode_mb_info.c
4
5
6
7
8
9
10
11
12
13
int x, y, mv_x, mv_y, mv_delta, offs, mb_offset, mv_scale, blks_per_mb; IVIMbInfo *mb, *ref_mb; int row_offset = band->mb_size * band->pitch; mb = tile->mbs; ref_mb = tile->ref_mbs; offs = tile->ypos * band->pitch + tile->xpos; if (!ref_mb &&
+ show +
14
15
16
17
18
19
((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) return AVERROR_INVALIDDATA; /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0;
+ show +
20
21
22
23
24
25
26
27
28
29
for (y = tile->ypos; y < (tile->ypos + tile->height); y += band->mb_size) { mb_offset = offs; for (x = tile->xpos; x < (tile->xpos + tile->width); x += band->mb_size) { mb->xpos = x; mb->ypos = y; mb->buf_offs = mb_offset; if (get_bits1(&ctx->gb)) {
.\cloneFuncs\totalClone\Type-2\CVE-2012-2794_before_1mo_1328780278_decode_mb_info.c
4
5
6
7
8
9
10
11
12
13
int x, y, mv_x, mv_y, mv_delta, offs, mb_offset, mv_scale, blks_per_mb; IVIMbInfo *mb, *ref_mb; int row_offset = band->mb_size * band->pitch; mb = tile->mbs; ref_mb = tile->ref_mbs; offs = tile->ypos * band->pitch + tile->xpos; if (!ref_mb &&
+ show +
14
15
16
17
18
19
((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) return AVERROR_INVALIDDATA; /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0;
+ show +
20
21
22
23
24
25
26
27
28
29
for (y = tile->ypos; y < (tile->ypos + tile->height); y += band->mb_size) { mb_offset = offs; for (x = tile->xpos; x < (tile->xpos + tile->width); x += band->mb_size) { mb->xpos = x; mb->ypos = y; mb->buf_offs = mb_offset; if (get_bits1(&ctx->gb)) {

[ffmpeg_CVE-2012-2795_1348938992_decode_channel_residues.diff] decode_channel_residues_OLD.c #1
residue = quo; else { rem_bits = av_ceil_log2(ave_mean); - rem = rem_bits ? get_bits(&s->gb, rem_bits) : 0; + rem = rem_bits ? get_bits_long(&s->gb, rem_bits) : 0; residue = (quo << rem_bits) + rem; }
.\cloneFuncs\totalClone\Type-1\CVE-2012-2795_before_1mo_1344157864_decode_channel_residues.c
29
30
31
32
33
34
35
36
37
38
while(get_bits1(&s->gb)) { quo++; if (get_bits_left(&s->gb) <= 0) return -1; } if (quo >= 32) quo += get_bits_long(&s->gb, get_bits(&s->gb, 5) + 1); ave_mean = (s->ave_sum[ch] + (1 << s->movave_scaling)) >> (s->movave_scaling + 1); if (ave_mean <= 1)
+ show +
39
40
41
42
43
44
residue = quo; else { rem_bits = av_ceil_log2(ave_mean); rem = rem_bits ? get_bits(&s->gb, rem_bits) : 0; residue = (quo << rem_bits) + rem; }
+ show +
45
46
47
48
49
50
51
52
53
54
s->ave_sum[ch] = residue + s->ave_sum[ch] - (s->ave_sum[ch] >> s->movave_scaling); if (residue & 1) residue = -(residue >> 1) - 1; else residue = residue >> 1; s->channel_residues[ch][i] = residue; }

[ffmpeg_CVE-2017-9992_1502471720_decode_dds1.diff] decode_dds1_OLD.c #1
int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; + if ((width | height) & 1) + return AVERROR_INVALIDDATA; segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2)
.\cloneFuncs\totalClone\Type-1\CVE-2012-2798_after_1mo_1352550176_decode_dds1.c
1
2
3
4
static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height) { const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height;
+ show +
5
6
7
8
9
10
int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2)
+ show +
11
12
13
14
15
16
17
18
19
20
return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; count = ((v >> 13) + 2) << 1;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2798_before_1mo_1344157864_decode_dds1.c
1
2
3
4
static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height) { const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height;
+ show +
5
6
7
8
9
10
int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2)
+ show +
11
12
13
14
15
16
17
18
19
20
return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2;
.\cloneFuncs\totalClone\Type-3\CVE-2012-2798_before_6mo_1331603892_decode_dds1.c
1
2
3
4
static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height) { const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height;
+ show +
5
6
7
8
9
10
int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2)
+ show +
11
12
13
14
15
16
17
18
19
20
return -1; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) return -1; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2;

[ffmpeg_CVE-2017-9992_1502471720_decode_dds1.diff] decode_dds1_OLD.c #2
return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (width < 4 || frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2798_after_1mo_1352550176_decode_dds1.c
22
23
24
25
26
27
28
29
30
31
return AVERROR_INVALIDDATA; for (i = 0; i < count; i++) { frame[0] = frame[1] = frame[width] = frame[width + 1] = frame[-offset]; frame += 2; } } else if (bitbuf & (mask << 1)) { v = bytestream2_get_le16(gb)*2; if (frame - frame_end < v)
+ show +
32
33
34
35
36
37
38
return AVERROR_INVALIDDATA; frame += v; } else { if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
+ show +
39
40
41
42
43
44
45
46
47
48
frame += 2; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame += 2; } mask <<= 2; } return 0; }

[ffmpeg_CVE-2012-2798_1348917928_decode_dds1.diff] decode_dds1_OLD.c #1
bitbuf = bytestream2_get_le16u(gb); mask = 1; } - if (frame_end - frame < 2) - return AVERROR_INVALIDDATA; + if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2798_before_1mo_1344157864_decode_dds1.c
3
4
5
6
7
8
9
10
11
12
const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) return AVERROR_INVALIDDATA; if (mask == 0x10000) {
+ show +
13
14
15
16
17
18
19
20
bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2;
+ show +
21
22
23
24
25
26
27
28
29
30
count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count*2 + width) return AVERROR_INVALIDDATA; for (i = 0; i < count; i++) { frame[0] = frame[1] = frame[width] = frame[width + 1] = frame[-offset]; frame += 2; } } else if (bitbuf & (mask << 1)) {

[ffmpeg_CVE-2012-2798_1348917928_decode_dds1.diff] decode_dds1_OLD.c #2
frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream2_get_le16(gb) * 2; + v = bytestream2_get_le16(gb)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2798_before_1mo_1344157864_decode_dds1.c
18
19
20
21
22
23
24
25
26
27
if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count*2 + width) return AVERROR_INVALIDDATA; for (i = 0; i < count; i++) { frame[0] = frame[1] = frame[width] = frame[width + 1] = frame[-offset];
+ show +
28
29
30
31
32
33
34
35
36
frame += 2; } } else if (bitbuf & (mask << 1)) { frame += bytestream2_get_le16(gb) * 2; } else { if (frame_end - frame < width + 2) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
+ show +
37
38
39
40
41
42
43
44
45
46
frame += 2; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame += 2; } mask <<= 2; } return 0; }

[ffmpeg_CVE-2012-2799_1334413976_decode_packet.diff] decode_packet_OLD.c #1
* to decode incomplete frames in the s->len_prefix == 0 case. */ s->num_saved_bits = 0; s->packet_loss = 0; + init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); } } else {
.\cloneFuncs\totalClone\Type-1\CVE-2012-2799_before_imd_1348938992_decode_packet.c
54
55
56
57
58
59
60
61
62
63
/* decode the cross packet frame if it is valid */ if (num_bits_prev_frame < remaining_packet_bits && !s->packet_loss) decode_frame(s); } else if (s->num_saved_bits - s->frame_offset) { av_dlog(avctx, "ignoring %x previously saved bits\n", s->num_saved_bits - s->frame_offset); } if (s->packet_loss) { /* Reset number of saved bits so that the decoder does not start
+ show +
64
65
66
67
68
69
* to decode incomplete frames in the s->len_prefix == 0 case. */ s->num_saved_bits = 0; s->packet_loss = 0; } } else {
+ show +
70
71
72
73
74
75
76
77
78
79
int frame_size; s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; init_get_bits(gb, avpkt->data, s->buf_bit_size); skip_bits(gb, s->packet_offset); if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size && (frame_size = show_bits(gb, s->log2_frame_size)) && frame_size <= remaining_bits(s, gb)) { save_bits(s, gb, frame_size, 0);
.\cloneFuncs\totalClone\Type-3\CVE-2012-2799_before_1mo_1331145615_decode_packet.c
51
52
53
54
55
56
57
58
59
60
/* decode the cross packet frame if it is valid */ if (!s->packet_loss) decode_frame(s); } else if (s->num_saved_bits - s->frame_offset) { av_dlog(avctx, "ignoring %x previously saved bits\n", s->num_saved_bits - s->frame_offset); } if (s->packet_loss) { /* Reset number of saved bits so that the decoder does not start
+ show +
61
62
63
64
65
66
* to decode incomplete frames in the s->len_prefix == 0 case. */ s->num_saved_bits = 0; s->packet_loss = 0; } } else {
+ show +
67
68
69
70
71
72
73
74
75
76
int frame_size; s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; init_get_bits(gb, avpkt->data, s->buf_bit_size); skip_bits(gb, s->packet_offset); if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size && (frame_size = show_bits(gb, s->log2_frame_size)) && frame_size <= remaining_bits(s, gb)) { save_bits(s, gb, frame_size, 0);

[ffmpeg_CVE-2012-2800_1348909678_decode_band.diff] decode_band_OLD.c #1
} tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { - ivi_process_empty_tile(avctx, band, tile, + result = ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); + if (result < 0) + break; av_dlog(avctx, "Empty tile encountered!\n"); } else { tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2800_before_imd_1348909614_decode_band.c
36
37
38
39
40
41
42
43
44
45
pos = get_bits_count(&ctx->gb); for (t = 0; t < band->num_tiles; t++) { tile = &band->tiles[t]; if (tile->mb_size != band->mb_size) { av_log(avctx, AV_LOG_ERROR, "MB sizes mismatch: %d vs. %d\n", band->mb_size, tile->mb_size); return AVERROR_INVALIDDATA;
+ show +
46
47
48
49
50
51
52
53
} tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); av_dlog(avctx, "Empty tile encountered!\n"); } else { tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb);
+ show +
54
55
56
57
58
59
60
61
62
63
if (!tile->data_size) { av_log(avctx, AV_LOG_ERROR, "Tile data size is zero!\n"); return AVERROR_INVALIDDATA; } result = ctx->decode_mb_info(ctx, band, tile, avctx); if (result < 0) break; result = ff_ivi_decode_blocks(&ctx->gb, band, tile);

[ffmpeg_CVE-2012-2800_1348909678_ivi_process_empty_tile.diff] ivi_process_empty_tile_OLD.c #1
-static void ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, - IVITile *tile, int32_t mv_scale) +static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, + IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; int offs, mb_offset, row_offset;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2800_before_imd_1348909614_ivi_process_empty_tile.c
+ show +
1
2
3
4
5
static void ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; int offs, mb_offset, row_offset;
+ show +
6
7
8
9
10
11
12
13
14
15
IVIMbInfo *mb, *ref_mb; const int16_t *src; int16_t *dst; void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); offs = tile->ypos * band->pitch + tile->xpos; mb = tile->mbs; ref_mb = tile->ref_mbs; row_offset = band->mb_size * band->pitch;

[ffmpeg_CVE-2012-2800_1348909678_ivi_process_empty_tile.diff] ivi_process_empty_tile_OLD.c #2
void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches " + "parameters %d in ivi_process_empty_tile()\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + offs = tile->ypos * band->pitch + tile->xpos; mb = tile->mbs; ref_mb = tile->ref_mbs;
.\cloneFuncs\totalClone\Type-1\CVE-2012-2800_before_imd_1348909614_ivi_process_empty_tile.c
1
2
3
4
5
6
7
8
static void ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; int offs, mb_offset, row_offset; IVIMbInfo *mb, *ref_mb; const int16_t *src; int16_t *dst;
+ show +
9
10
11
12
13
14
void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); offs = tile->ypos * band->pitch + tile->xpos; mb = tile->mbs; ref_mb = tile->ref_mbs;
+ show +
15
16
17
18
19
20
21
22
23
24
row_offset = band->mb_size * band->pitch; need_mc = 0; /* reset the mc tracking flag */ for (y = tile->ypos; y < (tile->ypos + tile->height); y += band->mb_size) { mb_offset = offs; for (x = tile->xpos; x < (tile->xpos + tile->width); x += band->mb_size) { mb->xpos = x; mb->ypos = y; mb->buf_offs = mb_offset;

[ffmpeg_CVE-2012-2802_1348932695_ac3_decode_frame.diff] ac3_decode_frame_OLD.c #1
avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ + avctx->channels = s->out_channels; s->frame.nb_samples = s->num_blocks * 256; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
.\cloneFuncs\totalClone\Type-1\CVE-2012-2802_before_1mo_1344157864_ac3_decode_frame.c
95
96
97
98
99
100
101
102
103
104
set_downmix_coeffs(s); } } else if (!s->out_channels) { s->out_channels = avctx->channels; if (s->out_channels < s->channels) s->output_mode = s->out_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO; } /* set audio service type based on bitstream mode for AC-3 */ avctx->audio_service_type = s->bitstream_mode; if (s->bitstream_mode == 0x7 && s->channels > 1)
+ show +
105
106
107
108
109
110
avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ s->frame.nb_samples = s->num_blocks * 256; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
+ show +
111
112
113
114
115
116
117
118
119
120
return ret; } out_samples_flt = (float *)s->frame.data[0]; out_samples_s16 = (int16_t *)s->frame.data[0]; /* decode the audio blocks */ channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on]; for (ch = 0; ch < s->out_channels; ch++) output[ch] = s->output[channel_map[ch]]; for (blk = 0; blk < s->num_blocks; blk++) {

[xen_CVE-2012-2934_1339497222_init_amd.diff] init_amd_OLD.c #1
clear_bit(X86_FEATURE_MWAIT, c->x86_capability); #ifdef __x86_64__ + if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe) + panic("Xen will not boot on this CPU for security reasons.\n" + "Pass \"allow_unsafe\" if you're trusting all your" + " (PV) guest kernels.\n"); + /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2934_before_imd_1338452142_init_amd.c
115
116
117
118
119
120
121
122
123
124
set_bit(X86_FEATURE_TOPOEXT, c->x86_capability); printk(KERN_INFO "CPU: Re-enabling disabled " "Topology Extensions Support\n"); } } amd_get_topology(c); /* Pointless to use MWAIT on Family10 as it does not deep sleep. */ if (c->x86 >= 0x10 && !force_mwait)
+ show +
125
126
127
128
129
clear_bit(X86_FEATURE_MWAIT, c->x86_capability); #ifdef __x86_64__ /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ show +
130
131
132
133
134
135
136
137
138
139
if (c->x86 == 0x10) { /* do this for boot cpu */ if (c == &boot_cpu_data) check_enable_amd_mmconf_dmi(); fam10h_check_enable_mmcfg(); } #endif
.\cloneFuncs\totalClone\Type-3\CVE-2012-2934_before_1mo_1328796860_init_amd.c
100
101
102
103
104
105
106
107
108
109
set_bit(X86_FEATURE_NONSTOP_TSC, c->x86_capability); if (c->x86 != 0x11) set_bit(X86_FEATURE_TSC_RELIABLE, c->x86_capability); } } amd_get_topology(c); /* Pointless to use MWAIT on Family10 as it does not deep sleep. */ if (c->x86 >= 0x10 && !force_mwait)
+ show +
110
111
112
113
114
clear_bit(X86_FEATURE_MWAIT, c->x86_capability); #ifdef __x86_64__ /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ show +
115
116
117
118
119
120
121
122
123
124
if (c->x86 == 0x10) { /* do this for boot cpu */ if (c == &boot_cpu_data) check_enable_amd_mmconf_dmi(); fam10h_check_enable_mmcfg(); } #endif
.\cloneFuncs\totalClone\Type-3\CVE-2012-2934_before_6mo_1317976335_init_amd.c
102
103
104
105
106
107
108
109
110
111
set_bit(X86_FEATURE_NONSTOP_TSC, c->x86_capability); if (c->x86 != 0x11) set_bit(X86_FEATURE_TSC_RELIABLE, c->x86_capability); } } amd_get_topology(c); /* Pointless to use MWAIT on Family10 as it does not deep sleep. */ if (c->x86 >= 0x10 && !force_mwait)
+ show +
112
113
114
115
116
clear_bit(X86_FEATURE_MWAIT, c->x86_capability); #ifdef __x86_64__ /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ show +
117
118
119
120
121
122
123
124
125
126
if (c->x86 == 0x10) { /* do this for boot cpu */ if (c == &boot_cpu_data) check_enable_amd_mmconf_dmi(); fam10h_check_enable_mmcfg(); } #endif

[xen_CVE-2012-3496_1346844543_guest_physmap_mark_populate_on_demand.diff] guest_physmap_mark_populate_on_demand_OLD.c #1
mfn_t omfn; int rc = 0; - BUG_ON(!paging_mode_translate(d)); + if ( !paging_mode_translate(d) ) + return -EINVAL; rc = p2m_gfn_check_limit(d, gfn, order); if ( rc != 0 )
.\cloneFuncs\totalClone\Type-1\CVE-2012-3496_before_imd_1345104979_guest_physmap_mark_populate_on_demand.c
1
2
3
4
5
6
7
int guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn, unsigned int order) { struct p2m_domain *p2m = p2m_get_hostp2m(d); unsigned long i, pod_count = 0; p2m_type_t ot;
+ show +
8
9
10
11
12
13
14
mfn_t omfn; int rc = 0; BUG_ON(!paging_mode_translate(d)); rc = p2m_gfn_check_limit(d, gfn, order); if ( rc != 0 )
+ show +
15
16
17
18
19
20
21
22
23
24
return rc; gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn); /* Make sure all gpfns are unused */ for ( i = 0; i < (1UL << order); i++ ) { p2m_access_t a;

[xen_CVE-2012-5514_1354646300_guest_physmap_mark_populate_on_demand.diff] guest_physmap_mark_populate_on_demand_OLD.c #2
omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); if ( p2m_is_ram(ot) ) { - printk("%s: gfn_to_mfn returned type %d!\n", - __func__, ot); + P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); rc = -EBUSY; goto out; }
.\cloneFuncs\totalClone\Type-1\CVE-2012-3496_before_imd_1345104979_guest_physmap_mark_populate_on_demand.c
15
16
17
18
19
20
21
22
23
24
return rc; gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn); /* Make sure all gpfns are unused */ for ( i = 0; i < (1UL << order); i++ ) { p2m_access_t a;
+ show +
25
26
27
28
29
30
31
32
omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); if ( p2m_is_ram(ot) ) { printk("%s: gfn_to_mfn returned type %d!\n", __func__, ot); rc = -EBUSY; goto out; }
+ show +
33
34
35
36
37
38
39
40
41
42
else if ( ot == p2m_populate_on_demand ) { /* Count how man PoD entries we'll be replacing if successful */ pod_count++; } } /* Now, actually do the two-way mapping */ if ( !set_p2m_entry(p2m, gfn, _mfn(0), order, p2m_populate_on_demand, p2m->default_access) )
.\cloneFuncs\totalClone\Type-1\CVE-2012-5514_before_imd_1347454766_guest_physmap_mark_populate_on_demand.c
12
13
14
15
16
17
18
19
20
21
return -EINVAL; gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn); /* Make sure all gpfns are unused */ for ( i = 0; i < (1UL << order); i++ ) { p2m_access_t a;
+ show +
22
23
24
25
26
27
28
29
omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); if ( p2m_is_ram(ot) ) { printk("%s: gfn_to_mfn returned type %d!\n", __func__, ot); rc = -EBUSY; goto out; }
+ show +
30
31
32
33
34
35
36
37
38
39
else if ( ot == p2m_populate_on_demand ) { /* Count how man PoD entries we'll be replacing if successful */ pod_count++; } } /* Now, actually do the two-way mapping */ if ( !set_p2m_entry(p2m, gfn, _mfn(0), order, p2m_populate_on_demand, p2m->default_access) )
.\cloneFuncs\totalClone\Type-3\CVE-2012-3496_before_1mo_1340893085_guest_physmap_mark_populate_on_demand.c
16
17
18
19
20
21
22
23
24
25
return rc; gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn); /* Make sure all gpfns are unused */ for ( i = 0; i < (1UL << order); i++ ) { p2m_access_t a;
+ show +
26
27
28
29
30
31
32
33
omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); if ( p2m_is_ram(ot) ) { printk("%s: gfn_to_mfn returned type %d!\n", __func__, ot); rc = -EBUSY; goto out; }
+ show +
34
35
36
37
38
39
40
41
42
43
else if ( ot == p2m_populate_on_demand ) { /* Count how man PoD entries we'll be replacing if successful */ pod_count++; } } /* Now, actually do the two-way mapping */ if ( !set_p2m_entry(p2m, gfn, _mfn(0), order, p2m_populate_on_demand, p2m->default_access) )
.\cloneFuncs\totalClone\Type-3\CVE-2012-5514_before_1mo_1346844543_guest_physmap_mark_populate_on_demand.c
16
17
18
19
20
21
22
23
24
25
return rc; gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn); /* Make sure all gpfns are unused */ for ( i = 0; i < (1UL << order); i++ ) { p2m_access_t a;
+ show +
26
27
28
29
30
31
32
33
omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); if ( p2m_is_ram(ot) ) { printk("%s: gfn_to_mfn returned type %d!\n", __func__, ot); rc = -EBUSY; goto out; }
+ show +
34
35
36
37
38
39
40
41
42
43
else if ( ot == p2m_populate_on_demand ) { /* Count how man PoD entries we'll be replacing if successful */ pod_count++; } } /* Now, actually do the two-way mapping */ if ( !set_p2m_entry(p2m, gfn, _mfn(0), order, p2m_populate_on_demand, p2m->default_access) )

[xen_CVE-2012-3497_1347365869_cpu_callback.diff] cpu_callback_OLD.c #1
struct page_info *p = alloc_domheap_pages(0, workmem_order, 0); per_cpu(workmem, cpu) = p ? page_to_virt(p) : NULL; } + if ( per_cpu(scratch_page, cpu) == NULL ) + { + struct page_info *p = alloc_domheap_page(NULL, 0); + per_cpu(scratch_page, cpu) = p ? page_to_virt(p) : NULL; + } break; } case CPU_DEAD:
.\cloneFuncs\totalClone\Type-1\CVE-2012-3497_before_1mo_1333449335_cpu_callback.c
6
7
8
9
10
11
12
13
14
15
switch ( action ) { case CPU_UP_PREPARE: { if ( per_cpu(dstmem, cpu) == NULL ) { struct page_info *p = alloc_domheap_pages(0, dstmem_order, 0); per_cpu(dstmem, cpu) = p ? page_to_virt(p) : NULL; } if ( per_cpu(workmem, cpu) == NULL ) {
+ show +
16
17
18
19
20
21
struct page_info *p = alloc_domheap_pages(0, workmem_order, 0); per_cpu(workmem, cpu) = p ? page_to_virt(p) : NULL; } break; } case CPU_DEAD:
+ show +
22
23
24
25
26
27
28
29
30
31
case CPU_UP_CANCELED: { if ( per_cpu(dstmem, cpu) != NULL ) { struct page_info *p = virt_to_page(per_cpu(dstmem, cpu)); free_domheap_pages(p, dstmem_order); per_cpu(dstmem, cpu) = NULL; } if ( per_cpu(workmem, cpu) != NULL ) { struct page_info *p = virt_to_page(per_cpu(workmem, cpu));

[xen_CVE-2012-3497_1347365869_cpu_callback.diff] cpu_callback_OLD.c #2
free_domheap_pages(p, workmem_order); per_cpu(workmem, cpu) = NULL; } + if ( per_cpu(scratch_page, cpu) != NULL ) + { + free_domheap_page(virt_to_page(per_cpu(scratch_page, cpu))); + per_cpu(scratch_page, cpu) = NULL; + } break; } default:
.\cloneFuncs\totalClone\Type-1\CVE-2012-3497_before_1mo_1333449335_cpu_callback.c
22
23
24
25
26
27
28
29
30
31
case CPU_UP_CANCELED: { if ( per_cpu(dstmem, cpu) != NULL ) { struct page_info *p = virt_to_page(per_cpu(dstmem, cpu)); free_domheap_pages(p, dstmem_order); per_cpu(dstmem, cpu) = NULL; } if ( per_cpu(workmem, cpu) != NULL ) { struct page_info *p = virt_to_page(per_cpu(workmem, cpu));
+ show +
32
33
34
35
36
37
free_domheap_pages(p, workmem_order); per_cpu(workmem, cpu) = NULL; } break; } default:
+ show +
38
39
40
41
42
break; } return NOTIFY_DONE; }

[xen_CVE-2012-3497_1347365869_tmh_copy_from_client.diff] tmh_copy_from_client_OLD.c #1
EXPORT int tmh_copy_from_client(pfp_t *pfp, tmem_cli_mfn_t cmfn, pagesize_t tmem_offset, - pagesize_t pfn_offset, pagesize_t len, void *cli_va) + pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t clibuf) { unsigned long tmem_mfn, cli_mfn = 0; - void *tmem_va; + char *tmem_va, *cli_va = NULL; pfp_t *cli_pfp = NULL; - bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */ + int rc = 1; ASSERT(pfp != NULL); tmem_mfn = page_to_mfn(pfp);
.\cloneFuncs\totalClone\Type-1\CVE-2012-3497_before_1mo_1333449335_tmh_copy_from_client.c
+ show +
1
2
3
4
5
6
7
8
9
10
11
EXPORT int tmh_copy_from_client(pfp_t *pfp, tmem_cli_mfn_t cmfn, pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cli_va) { unsigned long tmem_mfn, cli_mfn = 0; void *tmem_va; pfp_t *cli_pfp = NULL; bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */ ASSERT(pfp != NULL); tmem_mfn = page_to_mfn(pfp);
+ show +
12
13
14
15
16
17
18
19
20
21
tmem_va = map_domain_page(tmem_mfn); if ( tmem_offset == 0 && pfn_offset == 0 && len == 0 ) { memset(tmem_va, 0, PAGE_SIZE); unmap_domain_page(tmem_va); return 1; } if ( !tmemc ) { cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 0);

[xen_CVE-2012-3497_1347365869_tmh_copy_to_client.diff] tmh_copy_to_client_OLD.c #1
EXPORT int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp, - pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cli_va) + pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, + tmem_cli_va_t clibuf) { unsigned long tmem_mfn, cli_mfn = 0; - void *tmem_va; + char *tmem_va, *cli_va = NULL; pfp_t *cli_pfp = NULL; - bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */ + int rc = 1; ASSERT(pfp != NULL); - if ( !tmemc ) + if ( guest_handle_is_null(clibuf) ) { cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 1); if ( cli_va == NULL )
.\cloneFuncs\totalClone\Type-1\CVE-2012-3497_before_1mo_1333449335_tmh_copy_to_client.c
+ show +
1
2
3
4
5
6
7
8
9
10
11
12
13
EXPORT int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp, pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cli_va) { unsigned long tmem_mfn, cli_mfn = 0; void *tmem_va; pfp_t *cli_pfp = NULL; bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */ ASSERT(pfp != NULL); if ( !tmemc ) { cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 1); if ( cli_va == NULL )
+ show +
14
15
16
17
18
19
20
21
22
23
return -EFAULT; } tmem_mfn = page_to_mfn(pfp); tmem_va = map_domain_page(tmem_mfn); if (len == PAGE_SIZE && !tmem_offset && !pfn_offset) tmh_copy_page(cli_va, tmem_va); else if ( (tmem_offset+len <= PAGE_SIZE) && (pfn_offset+len <= PAGE_SIZE) ) memcpy((char *)cli_va+pfn_offset,(char *)tmem_va+tmem_offset,len); unmap_domain_page(tmem_va); if ( !tmemc )

[xen_CVE-2012-3498_1346844592_physdev_hvm_map_pirq.diff] physdev_hvm_map_pirq_OLD.c #1
struct hvm_girq_dpci_mapping *girq; uint32_t machine_gsi = 0; + if ( *index < 0 || *index >= NR_HVM_IRQS ) + { + ret = -EINVAL; + break; + } + /* find the machine gsi corresponding to the * emulated gsi */ hvm_irq_dpci = domain_get_irq_dpci(d); if ( hvm_irq_dpci ) { + BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS); list_for_each_entry ( girq, &hvm_irq_dpci->girq[*index], list )
.\cloneFuncs\totalClone\Type-1\CVE-2012-3498_before_1mo_1328195930_physdev_hvm_map_pirq.c
1
2
3
4
5
6
7
8
9
10
static int physdev_hvm_map_pirq( struct domain *d, int type, int *index, int *pirq) { int ret = 0; spin_lock(&d->event_lock); switch ( type ) { case MAP_PIRQ_TYPE_GSI: { struct hvm_irq_dpci *hvm_irq_dpci;
+ show +
11
12
13
14
15
16
17
18
19
20
21
struct hvm_girq_dpci_mapping *girq; uint32_t machine_gsi = 0; /* find the machine gsi corresponding to the * emulated gsi */ hvm_irq_dpci = domain_get_irq_dpci(d); if ( hvm_irq_dpci ) { list_for_each_entry ( girq, &hvm_irq_dpci->girq[*index], list )
+ show +
22
23
24
25
26
27
28
29
30
31
machine_gsi = girq->machine_gsi; } /* found one, this mean we are dealing with a pt device */ if ( machine_gsi ) { *index = domain_pirq_to_irq(d, machine_gsi); *pirq = machine_gsi; ret = (*pirq > 0) ? 0 : *pirq; } /* we didn't find any, this means we are dealing

[qemu_CVE-2012-3515_1346772369_console_putchar.diff] console_putchar_OLD.c #1
s->esc_params[s->nb_esc_params] * 10 + ch - '0'; } } else { - s->nb_esc_params++; + if (s->nb_esc_params < MAX_ESC_PARAMS) + s->nb_esc_params++; if (ch == ';') break; #ifdef DEBUG_CONSOLE
.\cloneFuncs\totalClone\Type-1\CVE-2012-3515_before_1mo_1341950455_console_putchar.c
59
60
61
62
63
64
65
66
67
68
s->nb_esc_params = 0; s->state = TTY_STATE_CSI; } else { s->state = TTY_STATE_NORM; } break; case TTY_STATE_CSI: /* handle escape sequence parameters */ if (ch >= '0' && ch <= '9') { if (s->nb_esc_params < MAX_ESC_PARAMS) { s->esc_params[s->nb_esc_params] =
+ show +
69
70
71
72
73
74
75
s->esc_params[s->nb_esc_params] * 10 + ch - '0'; } } else { s->nb_esc_params++; if (ch == ';') break; #ifdef DEBUG_CONSOLE
+ show +
76
77
78
79
80
81
82
83
84
85
fprintf(stderr, "escape sequence CSI%d;%d%c, %d parameters\n", s->esc_params[0], s->esc_params[1], ch, s->nb_esc_params); #endif s->state = TTY_STATE_NORM; switch(ch) { case 'A': /* move cursor up */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; }

[qemu_CVE-2012-3515_1346772369_console_putchar.diff] console_putchar_OLD.c #2
if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->y -= s->esc_params[0]; - if (s->y < 0) { - s->y = 0; - } + set_cursor(s, s->x, s->y - s->esc_params[0]); break; case 'B': /* move cursor down */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->y += s->esc_params[0]; - if (s->y >= s->height) { - s->y = s->height - 1; - } + set_cursor(s, s->x, s->y + s->esc_params[0]); break; case 'C': /* move cursor right */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->x += s->esc_params[0]; - if (s->x >= s->width) { - s->x = s->width - 1; - } + set_cursor(s, s->x + s->esc_params[0], s->y); break; case 'D': /* move cursor left */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->x -= s->esc_params[0]; - if (s->x < 0) { - s->x = 0; - } + set_cursor(s, s->x - s->esc_params[0], s->y); break; case 'G': /* move cursor to column */ - s->x = s->esc_params[0] - 1; - if (s->x < 0) { - s->x = 0; - } + set_cursor(s, s->esc_params[0] - 1, s->y); break; case 'f': case 'H': /* move cursor to row, column */ - s->x = s->esc_params[1] - 1; - if (s->x < 0) { - s->x = 0; - } - s->y = s->esc_params[0] - 1; - if (s->y < 0) { - s->y = 0; - } + set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1); break; case 'J': switch (s->esc_params[0]) {
.\cloneFuncs\totalClone\Type-1\CVE-2012-3515_before_1mo_1341950455_console_putchar.c
73
74
75
76
77
78
79
80
81
82
if (ch == ';') break; #ifdef DEBUG_CONSOLE fprintf(stderr, "escape sequence CSI%d;%d%c, %d parameters\n", s->esc_params[0], s->esc_params[1], ch, s->nb_esc_params); #endif s->state = TTY_STATE_NORM; switch(ch) { case 'A': /* move cursor up */
+ show +
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } s->y -= s->esc_params[0]; if (s->y < 0) { s->y = 0; } break; case 'B': /* move cursor down */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } s->y += s->esc_params[0]; if (s->y >= s->height) { s->y = s->height - 1; } break; case 'C': /* move cursor right */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } s->x += s->esc_params[0]; if (s->x >= s->width) { s->x = s->width - 1; } break; case 'D': /* move cursor left */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } s->x -= s->esc_params[0]; if (s->x < 0) { s->x = 0; } break; case 'G': /* move cursor to column */ s->x = s->esc_params[0] - 1; if (s->x < 0) { s->x = 0; } break; case 'f': case 'H': /* move cursor to row, column */ s->x = s->esc_params[1] - 1; if (s->x < 0) { s->x = 0; } s->y = s->esc_params[0] - 1; if (s->y < 0) { s->y = 0; } break; case 'J': switch (s->esc_params[0]) {
+ show +
142
143
144
145
146
147
148
149
150
151
case 0: /* clear to end of screen */ for (y = s->y; y < s->height; y++) { for (x = 0; x < s->width; x++) { if (y == s->y && x < s->x) { continue; } console_clear_xy(s, x, y); } }

[linux_CVE-2012-3520_1345530077_unix_dgram_sendmsg.diff] unix_dgram_sendmsg_OLD.c #1
if (NULL == siocb->scm) siocb->scm = &tmp_scm; wait_for_unix_gc(); - err = scm_send(sock, msg, siocb->scm); + err = scm_send(sock, msg, siocb->scm, false); if (err < 0) return err;
.\cloneFuncs\totalClone\Type-1\CVE-2012-3520_before_1mo_1339193420_unix_dgram_sendmsg.c
9
10
11
12
13
14
15
16
17
18
struct sock *other = NULL; int namelen = 0; /* fake GCC */ int err; unsigned int hash; struct sk_buff *skb; long timeo; struct scm_cookie tmp_scm; int max_level; int data_len = 0;
+ show +
19
20
21
22
23
24
if (NULL == siocb->scm) siocb->scm = &tmp_scm; wait_for_unix_gc(); err = scm_send(sock, msg, siocb->scm); if (err < 0) return err;
+ show +
25
26
27
28
29
30
31
32
33
34
err = -EOPNOTSUPP; if (msg->msg_flags&MSG_OOB) goto out; if (msg->msg_namelen) { err = unix_mkname(sunaddr, msg->msg_namelen, &hash); if (err < 0) goto out; namelen = err;
.\cloneFuncs\totalClone\Type-1\CVE-2012-3520_before_1mo_1339193420_unix_stream_sendmsg.c
4
5
6
7
8
9
10
11
12
13
struct sock_iocb *siocb = kiocb_to_siocb(kiocb); struct sock *sk = sock->sk; struct sock *other = NULL; int err, size; struct sk_buff *skb; int sent = 0; struct scm_cookie tmp_scm; bool fds_sent = false; int max_level;
+ show +
14
15
16
17
18
19
if (NULL == siocb->scm) siocb->scm = &tmp_scm; wait_for_unix_gc(); err = scm_send(sock, msg, siocb->scm); if (err < 0) return err;
+ show +
20
21
22
23
24
25
26
27
28
29
err = -EOPNOTSUPP; if (msg->msg_flags&MSG_OOB) goto out_err; if (msg->msg_namelen) { err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; goto out_err; } else { err = -ENOTCONN;
.\cloneFuncs\totalClone\Type-3\CVE-2012-3520_before_6mo_1329866695_unix_dgram_sendmsg.c
8
9
10
11
12
13
14
15
16
17
struct sockaddr_un *sunaddr = msg->msg_name; struct sock *other = NULL; int namelen = 0; /* fake GCC */ int err; unsigned hash; struct sk_buff *skb; long timeo; struct scm_cookie tmp_scm; int max_level;
+ show +
18
19
20
21
22
23
if (NULL == siocb->scm) siocb->scm = &tmp_scm; wait_for_unix_gc(); err = scm_send(sock, msg, siocb->scm); if (err < 0) return err;
+ show +
24
25
26
27
28
29
30
31
32
33
err = -EOPNOTSUPP; if (msg->msg_flags&MSG_OOB) goto out; if (msg->msg_namelen) { err = unix_mkname(sunaddr, msg->msg_namelen, &hash); if (err < 0) goto out; namelen = err;

[linux_CVE-2012-3520_1345530077_unix_stream_sendmsg.diff] unix_stream_sendmsg_OLD.c #1
if (NULL == siocb->scm) siocb->scm = &tmp_scm; wait_for_unix_gc(); - err = scm_send(sock, msg, siocb->scm); + err = scm_send(sock, msg, siocb->scm, false); if (err < 0) return err;
.\cloneFuncs\totalClone\Type-1\CVE-2012-3520_before_1mo_1339193420_unix_dgram_sendmsg.c
9
10
11
12
13
14
15
16
17
18
struct sock *other = NULL; int namelen = 0; /* fake GCC */ int err; unsigned int hash; struct sk_buff *skb; long timeo; struct scm_cookie tmp_scm; int max_level; int data_len = 0;
+ show +
19
20
21
22
23
24
if (NULL == siocb->scm) siocb->scm = &tmp_scm; wait_for_unix_gc(); err = scm_send(sock, msg, siocb->scm); if (err < 0) return err;
+ show +
25
26
27
28
29
30
31
32
33
34
err = -EOPNOTSUPP; if (msg->msg_flags&MSG_OOB) goto out; if (msg->msg_namelen) { err = unix_mkname(sunaddr, msg->msg_namelen, &hash); if (err < 0) goto out; namelen = err;
.\cloneFuncs\totalClone\Type-1\CVE-2012-3520_before_1mo_1339193420_unix_stream_sendmsg.c
4
5
6
7
8
9
10
11
12
13
struct sock_iocb *siocb = kiocb_to_siocb(kiocb); struct sock *sk = sock->sk; struct sock *other = NULL; int err, size; struct sk_buff *skb; int sent = 0; struct scm_cookie tmp_scm; bool fds_sent = false; int max_level;
+ show +
14
15
16
17
18
19
if (NULL == siocb->scm) siocb->scm = &tmp_scm; wait_for_unix_gc(); err = scm_send(sock, msg, siocb->scm); if (err < 0) return err;
+ show +
20
21
22
23
24
25
26
27
28
29
err = -EOPNOTSUPP; if (msg->msg_flags&MSG_OOB) goto out_err; if (msg->msg_namelen) { err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; goto out_err; } else { err = -ENOTCONN;
.\cloneFuncs\totalClone\Type-3\CVE-2012-3520_before_6mo_1329866695_unix_dgram_sendmsg.c
8
9
10
11
12
13
14
15
16
17
struct sockaddr_un *sunaddr = msg->msg_name; struct sock *other = NULL; int namelen = 0; /* fake GCC */ int err; unsigned hash; struct sk_buff *skb; long timeo; struct scm_cookie tmp_scm; int max_level;
+ show +
18
19
20
21
22
23
if (NULL == siocb->scm) siocb->scm = &tmp_scm; wait_for_unix_gc(); err = scm_send(sock, msg, siocb->scm); if (err < 0) return err;
+ show +
24
25
26
27
28
29
30
31
32
33
err = -EOPNOTSUPP; if (msg->msg_flags&MSG_OOB) goto out; if (msg->msg_namelen) { err = unix_mkname(sunaddr, msg->msg_namelen, &hash); if (err < 0) goto out; namelen = err;

[linux_CVE-2012-4398_1384297605_kthread.diff] kthread_OLD.c #1
struct kthread_create_info *create = _create; int (*threadfn)(void *data) = create->threadfn; void *data = create->data; + struct completion *done; struct kthread self; int ret;
.\cloneFuncs\totalClone\Type-1\CVE-2012-4398_before_1mo_1367287660_kthread.c
1
2
3
static int kthread(void *_create) { /* Copy data: it's on kthread's stack */
+ show +
4
5
6
7
8
struct kthread_create_info *create = _create; int (*threadfn)(void *data) = create->threadfn; void *data = create->data; struct kthread self; int ret;
+ show +
9
10
11
12
13
14
15
16
17
18
self.flags = 0; self.data = data; init_completion(&self.exited); init_completion(&self.parked); current->vfork_done = &self.exited; /* OK, tell user we're spawned, wait for stop or wakeup */ __set_current_state(TASK_UNINTERRUPTIBLE); create->result = current;

[linux_CVE-2012-4398_1384297605_kthread.diff] kthread_OLD.c #2
init_completion(&self.parked); current->vfork_done = &self.exited; + /* If user was SIGKILLed, I release the structure. */ + done = xchg(&create->done, NULL); + if (!done) { + kfree(create); + do_exit(-EINTR); + } /* OK, tell user we're spawned, wait for stop or wakeup */ __set_current_state(TASK_UNINTERRUPTIBLE); create->result = current; - complete(&create->done); + complete(done); schedule(); ret = -EINTR;
.\cloneFuncs\totalClone\Type-1\CVE-2012-4398_before_1mo_1367287660_kthread.c
3
4
5
6
7
8
9
10
11
12
/* Copy data: it's on kthread's stack */ struct kthread_create_info *create = _create; int (*threadfn)(void *data) = create->threadfn; void *data = create->data; struct kthread self; int ret; self.flags = 0; self.data = data; init_completion(&self.exited);
+ show +
13
14
15
16
17
18
19
20
21
22
init_completion(&self.parked); current->vfork_done = &self.exited; /* OK, tell user we're spawned, wait for stop or wakeup */ __set_current_state(TASK_UNINTERRUPTIBLE); create->result = current; complete(&create->done); schedule(); ret = -EINTR;
+ show +
23
24
25
26
27
28
29
30
if (!test_bit(KTHREAD_SHOULD_STOP, &self.flags)) { __kthread_parkme(&self); ret = threadfn(data); } /* we can't just return, we must preserve "self" on stack */ do_exit(ret); }

[linux_CVE-2012-4461_1352226247_kvm_arch_vcpu_ioctl_set_sregs.diff] kvm_arch_vcpu_ioctl_set_sregs_OLD.c #1
int pending_vec, max_bits, idx; struct desc_ptr dt; + if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE)) + return -EINVAL; + dt.size = sregs->idt.limit; dt.address = sregs->idt.base; kvm_x86_ops->set_idt(vcpu, &dt);
.\cloneFuncs\totalClone\Type-1\CVE-2012-4461_before_1mo_1349368233_kvm_arch_vcpu_ioctl_set_sregs.c
1
2
3
4
int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) { int mmu_reset_needed = 0;
+ show +
5
6
7
8
9
10
int pending_vec, max_bits, idx; struct desc_ptr dt; dt.size = sregs->idt.limit; dt.address = sregs->idt.base; kvm_x86_ops->set_idt(vcpu, &dt);
+ show +
11
12
13
14
15
16
17
18
19
20
dt.size = sregs->gdt.limit; dt.address = sregs->gdt.base; kvm_x86_ops->set_gdt(vcpu, &dt); vcpu->arch.cr2 = sregs->cr2; mmu_reset_needed |= kvm_read_cr3(vcpu) != sregs->cr3; vcpu->arch.cr3 = sregs->cr3; __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail); kvm_set_cr8(vcpu, sregs->cr8);
.\cloneFuncs\totalClone\Type-2\CVE-2012-4461_before_6mo_1336034199_kvm_arch_vcpu_ioctl_set_sregs.c
1
2
3
4
int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) { int mmu_reset_needed = 0;
+ show +
5
6
7
8
9
10
int pending_vec, max_bits, idx; struct desc_ptr dt; dt.size = sregs->idt.limit; dt.address = sregs->idt.base; kvm_x86_ops->set_idt(vcpu, &dt);
+ show +
11
12
13
14
15
16
17
18
19
20
dt.size = sregs->gdt.limit; dt.address = sregs->gdt.base; kvm_x86_ops->set_gdt(vcpu, &dt); vcpu->arch.cr2 = sregs->cr2; mmu_reset_needed |= kvm_read_cr3(vcpu) != sregs->cr3; vcpu->arch.cr3 = sregs->cr3; __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail); kvm_set_cr8(vcpu, sregs->cr8);

[xen_CVE-2012-4537_1352892962_guest_physmap_add_entry.diff] guest_physmap_add_entry_OLD.c #1
if ( mfn_valid(_mfn(mfn)) ) { if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) + { rc = -EINVAL; + goto out; /* Failed to update p2m, bail without updating m2p. */ + } if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ )
.\cloneFuncs\totalClone\Type-1\CVE-2012-4537_before_1mo_1348239766_guest_physmap_add_entry.c
115
116
117
118
119
120
121
122
123
124
ASSERT(mfn_valid(omfn)); P2M_DEBUG("old gfn=%#lx -> mfn %#lx\n", ogfn , mfn_x(omfn)); if ( mfn_x(omfn) == (mfn + i) ) p2m_remove_page(p2m, ogfn, mfn + i, 0); } } } /* Now, actually do the two-way mapping */
+ show +
125
126
127
128
129
130
131
if ( mfn_valid(_mfn(mfn)) ) { if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) rc = -EINVAL; if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ )
+ show +
132
133
134
135
136
137
138
139
140
141
set_gpfn_from_mfn(mfn+i, gfn+i); } } else { gdprintk(XENLOG_WARNING, "Adding bad mfn to p2m map (%#lx -> %#lx)\n", gfn, mfn); if ( !set_p2m_entry(p2m, gfn, _mfn(INVALID_MFN), page_order, p2m_invalid, p2m->default_access) ) rc = -EINVAL;
.\cloneFuncs\totalClone\Type-3\CVE-2012-4537_before_6mo_1337246694_guest_physmap_add_entry.c
121
122
123
124
125
126
127
128
129
130
ASSERT(mfn_valid(omfn)); P2M_DEBUG("old gfn=%#lx -> mfn %#lx\n", ogfn , mfn_x(omfn)); if ( mfn_x(omfn) == (mfn + i) ) p2m_remove_page(p2m, ogfn, mfn + i, 0); } } } /* Now, actually do the two-way mapping */
+ show +
131
132
133
134
135
136
137
if ( mfn_valid(_mfn(mfn)) ) { if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) rc = -EINVAL; if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ )
+ show +
138
139
140
141
142
143
144
145
146
147
set_gpfn_from_mfn(mfn+i, gfn+i); } } else { gdprintk(XENLOG_WARNING, "Adding bad mfn to p2m map (%#lx -> %#lx)\n", gfn, mfn); if ( !set_p2m_entry(p2m, gfn, _mfn(INVALID_MFN), page_order, p2m_invalid, p2m->default_access) ) rc = -EINVAL;

[xen_CVE-2012-4544_1351264169_xc_dom_build_image.diff] xc_dom_build_image_OLD.c #1
void *ramdiskmap; unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size); + if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 ) + unziplen = 0; + ramdisklen = unziplen ? unziplen : dom->ramdisk_size; + if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0, ramdisklen) != 0 ) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2012-4544_before_1mo_1282671779_xc_dom_build_image.c
19
20
21
22
23
24
25
26
27
28
dom->kernel_seg.vend - dom->kernel_seg.vstart) != 0 ) goto err; if ( dom->kernel_loader->loader(dom) != 0 ) goto err; /* load ramdisk */ if ( dom->ramdisk_blob ) { size_t unziplen, ramdisklen;
+ show +
29
30
31
32
33
34
35
void *ramdiskmap; unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size); ramdisklen = unziplen ? unziplen : dom->ramdisk_size; if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0, ramdisklen) != 0 ) goto err;
+ show +
36
37
38
39
40
41
42
43
44
45
ramdiskmap = xc_dom_seg_to_ptr(dom, &dom->ramdisk_seg); if ( unziplen ) { if ( xc_dom_do_gunzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size, ramdiskmap, ramdisklen) == -1 ) goto err; } else memcpy(ramdiskmap, dom->ramdisk_blob, dom->ramdisk_size);

[xen_CVE-2012-4544_1351264169_xc_dom_check_gzip.diff] xc_dom_check_gzip_OLD.c #1
gzlen = blob + ziplen - 4; unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0]; - if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */ + if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) ) { xc_dom_printf (xch,
.\cloneFuncs\totalClone\Type-1\CVE-2012-4544_before_1mo_1282671779_xc_dom_check_gzip.c
1
2
3
4
5
6
7
8
9
size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) { unsigned char *gzlen; size_t unziplen; if ( strncmp(blob, "\037\213", 2) ) /* not gzipped */ return 0;
+ show +
10
11
12
13
14
15
gzlen = blob + ziplen - 4; unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0]; if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */ { xc_dom_printf (xch,
+ show +
16
17
18
19
20
21
22
"%s: size (zip %zd, unzip %zd) looks insane, skip gunzip", __FUNCTION__, ziplen, unziplen); return 0; } return unziplen + 16; }

[xen_CVE-2012-4544_1351264169_xc_dom_malloc_filemap.diff] xc_dom_malloc_filemap_OLD.c #1
void *xc_dom_malloc_filemap(struct xc_dom_image *dom, - const char *filename, size_t * size) + const char *filename, size_t * size, + const size_t max_size) { struct xc_dom_mem *block = NULL; int fd = -1;
.\cloneFuncs\totalClone\Type-1\CVE-2012-4544_before_1mo_1282671779_xc_dom_malloc_filemap.c
+ show +
1
2
3
4
5
void *xc_dom_malloc_filemap(struct xc_dom_image *dom, const char *filename, size_t * size) { struct xc_dom_mem *block = NULL; int fd = -1;
+ show +
6
7
8
9
10
11
12
13
14
15
fd = open(filename, O_RDONLY); if ( fd == -1 ) goto err; lseek(fd, 0, SEEK_SET); *size = lseek(fd, 0, SEEK_END); block = malloc(sizeof(*block)); if ( block == NULL )

[xen_CVE-2012-4544_1351264169_xc_dom_malloc_filemap.diff] xc_dom_malloc_filemap_OLD.c #2
lseek(fd, 0, SEEK_SET); *size = lseek(fd, 0, SEEK_END); + if ( max_size && *size > max_size ) + { + xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, + "tried to map file which is too large"); + goto err; + } + block = malloc(sizeof(*block)); if ( block == NULL ) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2012-4544_before_1mo_1282671779_xc_dom_malloc_filemap.c
1
2
3
4
5
6
7
8
9
10
void *xc_dom_malloc_filemap(struct xc_dom_image *dom, const char *filename, size_t * size) { struct xc_dom_mem *block = NULL; int fd = -1; fd = open(filename, O_RDONLY); if ( fd == -1 ) goto err;
+ show +
11
12
13
14
15
16
lseek(fd, 0, SEEK_SET); *size = lseek(fd, 0, SEEK_END); block = malloc(sizeof(*block)); if ( block == NULL ) goto err;
+ show +
17
18
19
20
21
22
23
24
25
26
memset(block, 0, sizeof(*block)); block->mmap_len = *size; block->mmap_ptr = mmap(NULL, block->mmap_len, PROT_READ, MAP_SHARED, fd, 0); if ( block->mmap_ptr == MAP_FAILED ) goto err; block->next = dom->memblocks; dom->memblocks = block; dom->alloc_malloc += sizeof(*block); dom->alloc_file_map += block->mmap_len;

[xen_CVE-2012-4544_1351264169_xc_dom_try_gunzip.diff] xc_dom_try_gunzip_OLD.c #1
if ( unziplen == 0 ) return 0; + if ( xc_dom_kernel_check_size(dom, unziplen) ) + return 0; + unzip = xc_dom_malloc(dom, unziplen); if ( unzip == NULL ) return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2012-4544_before_1mo_1282671779_xc_dom_try_gunzip.c
1
2
3
4
5
6
int xc_dom_try_gunzip(struct xc_dom_image *dom, void **blob, size_t * size) { void *unzip; size_t unziplen; unziplen = xc_dom_check_gzip(dom->xch, *blob, *size);
+ show +
7
8
9
10
11
12
if ( unziplen == 0 ) return 0; unzip = xc_dom_malloc(dom, unziplen); if ( unzip == NULL ) return -1;
+ show +
13
14
15
16
17
18
19
20
if ( xc_dom_do_gunzip(dom->xch, *blob, *size, unzip, unziplen) == -1 ) return -1; *blob = unzip; *size = unziplen; return 0; }

[xen_CVE-2012-5510_1354646280_gnttab_grow_table.diff] gnttab_grow_table_OLD.c #1
clear_page(gt->shared_raw[i]); } - /* Share the new shared frames with the recipient domain */ - for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) - gnttab_create_shared_page(d, gt, i); - - gt->nr_grant_frames = req_nr_frames; - /* Status pages - version 2 */ if (gt->gt_version > 1) { - if ( gnttab_populate_status_frames(d, gt) ) + if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) goto shared_alloc_failed; } + /* Share the new shared frames with the recipient domain */ + for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) + gnttab_create_shared_page(d, gt, i); + gt->nr_grant_frames = req_nr_frames; + return 1; shared_alloc_failed:
.\cloneFuncs\totalClone\Type-1\CVE-2012-5510_before_1mo_1350488633_gnttab_grow_table.c
19
20
21
22
23
24
25
26
27
28
if ( (gt->active[i] = alloc_xenheap_page()) == NULL ) goto active_alloc_failed; clear_page(gt->active[i]); } /* Shared */ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) { if ( (gt->shared_raw[i] = alloc_xenheap_page()) == NULL ) goto shared_alloc_failed;
+ show +
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
clear_page(gt->shared_raw[i]); } /* Share the new shared frames with the recipient domain */ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) gnttab_create_shared_page(d, gt, i); gt->nr_grant_frames = req_nr_frames; /* Status pages - version 2 */ if (gt->gt_version > 1) { if ( gnttab_populate_status_frames(d, gt) ) goto shared_alloc_failed; } return 1; shared_alloc_failed:
+ show +
48
49
50
51
52
53
54
55
56
57
for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) { free_xenheap_page(gt->shared_raw[i]); gt->shared_raw[i] = NULL; } active_alloc_failed: for ( i = nr_active_grant_frames(gt); i < num_act_frames_from_sha_frames(req_nr_frames); i++ ) { free_xenheap_page(gt->active[i]);

[xen_CVE-2012-5510_1354646280_grant_table_create.diff] grant_table_create_OLD.c #1
clear_page(t->shared_raw[i]); } - for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) - gnttab_create_shared_page(d, t, i); - /* Status pages for grant table - for version 2 */ t->status = xzalloc_array(grant_status_t *, grant_to_status_frames(max_nr_grant_frames)); if ( t->status == NULL ) goto no_mem_4; + + for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) + gnttab_create_shared_page(d, t, i); + t->nr_status_frames = 0; /* Okay, install the structure. */
.\cloneFuncs\totalClone\Type-1\CVE-2012-5510_before_1mo_1350488633_grant_table_create.c
36
37
38
39
40
41
42
43
44
45
t->maptrack[0][i - 1].ref = i; t->maptrack[0][i - 1].ref = MAPTRACK_TAIL; /* Shared grant table. */ if ( (t->shared_raw = xzalloc_array(void *, max_nr_grant_frames)) == NULL ) goto no_mem_3; for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) { if ( (t->shared_raw[i] = alloc_xenheap_page()) == NULL ) goto no_mem_4;
+ show +
46
47
48
49
50
51
52
53
54
55
56
57
58
59
clear_page(t->shared_raw[i]); } for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) gnttab_create_shared_page(d, t, i); /* Status pages for grant table - for version 2 */ t->status = xzalloc_array(grant_status_t *, grant_to_status_frames(max_nr_grant_frames)); if ( t->status == NULL ) goto no_mem_4; t->nr_status_frames = 0; /* Okay, install the structure. */
+ show +
60
61
62
63
64
65
66
67
68
69
d->grant_table = t; return 0; no_mem_4: for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) free_xenheap_page(t->shared_raw[i]); xfree(t->shared_raw); no_mem_3: free_xenheap_page(t->maptrack[0]); xfree(t->maptrack);
.\cloneFuncs\totalClone\Type-2\CVE-2012-5510_before_6mo_1338366213_grant_table_create.c
36
37
38
39
40
41
42
43
44
45
t->maptrack[0][i - 1].ref = i; t->maptrack[0][i - 1].ref = MAPTRACK_TAIL; /* Shared grant table. */ if ( (t->shared_raw = xzalloc_array(void *, max_nr_grant_frames)) == NULL ) goto no_mem_3; for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) { if ( (t->shared_raw[i] = alloc_xenheap_page()) == NULL ) goto no_mem_4;
+ show +
46
47
48
49
50
51
52
53
54
55
56
57
58
59
clear_page(t->shared_raw[i]); } for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) gnttab_create_shared_page(d, t, i); /* Status pages for grant table - for version 2 */ t->status = xzalloc_array(grant_status_t *, grant_to_status_frames(max_nr_grant_frames)); if ( t->status == NULL ) goto no_mem_4; t->nr_status_frames = 0; /* Okay, install the structure. */
+ show +
60
61
62
63
64
65
66
67
68
69
d->grant_table = t; return 0; no_mem_4: for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) free_xenheap_page(t->shared_raw[i]); xfree(t->shared_raw); no_mem_3: free_xenheap_page(t->maptrack[0]); xfree(t->maptrack);

[xen_CVE-2012-5514_1354646300_guest_physmap_mark_populate_on_demand.diff] guest_physmap_mark_populate_on_demand_OLD.c #1
mfn_t omfn; int rc = 0; + if ( !IS_PRIV_FOR(current->domain, d) ) + return -EPERM; + if ( !paging_mode_translate(d) ) return -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2012-5514_before_imd_1347454766_guest_physmap_mark_populate_on_demand.c
1
2
3
4
5
6
7
int guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn, unsigned int order) { struct p2m_domain *p2m = p2m_get_hostp2m(d); unsigned long i, pod_count = 0; p2m_type_t ot;
+ show +
8
9
10
11
12
mfn_t omfn; int rc = 0; if ( !paging_mode_translate(d) ) return -EINVAL;
+ show +
13
14
15
16
17
18
19
20
21
22
gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn); /* Make sure all gpfns are unused */ for ( i = 0; i < (1UL << order); i++ ) { p2m_access_t a; omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2012-3496_after_6mo_1366710965_guest_physmap_mark_populate_on_demand.c
1
2
3
4
5
6
7
int guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn, unsigned int order) { struct p2m_domain *p2m = p2m_get_hostp2m(d); unsigned long i, pod_count = 0; p2m_type_t ot;
+ show +
8
9
10
11
12
mfn_t omfn; int rc = 0; if ( !paging_mode_translate(d) ) return -EINVAL;
+ show +
13
14
15
16
17
18
19
20
21
22
gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn); /* Make sure all gpfns are unused */ for ( i = 0; i < (1UL << order); i++ ) { p2m_access_t a; omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2012-5514_before_1mo_1346844543_guest_physmap_mark_populate_on_demand.c
1
2
3
4
5
6
7
int guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn, unsigned int order) { struct p2m_domain *p2m = p2m_get_hostp2m(d); unsigned long i, pod_count = 0; p2m_type_t ot;
+ show +
8
9
10
11
12
mfn_t omfn; int rc = 0; if ( !paging_mode_translate(d) ) return -EINVAL;
+ show +
13
14
15
16
17
18
19
20
21
22
rc = p2m_gfn_check_limit(d, gfn, order); if ( rc != 0 ) return rc; gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn); /* Make sure all gpfns are unused */

[xen_CVE-2012-5515_1354646306_decrease_reservation.diff] decrease_reservation_OLD.c #1
xen_pfn_t gmfn; if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, - a->nr_extents-1) ) + a->nr_extents-1) || + a->extent_order > MAX_ORDER ) return; for ( i = a->nr_done; i < a->nr_extents; i++ )
.\cloneFuncs\totalClone\Type-1\CVE-2012-5515_before_1mo_1350488633_decrease_reservation.c
1
2
3
static void decrease_reservation(struct memop_args *a) { unsigned long i, j;
+ show +
4
5
6
7
8
9
10
xen_pfn_t gmfn; if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, a->nr_extents-1) ) return; for ( i = a->nr_done; i < a->nr_extents; i++ )
+ show +
11
12
13
14
15
16
17
18
19
20
{ if ( hypercall_preempt_check() ) { a->preempted = 1; goto out; } if ( unlikely(__copy_from_guest_offset(&gmfn, a->extent_list, i, 1)) ) goto out;

[xen_CVE-2012-5515_1354646306_populate_physmap.diff] populate_physmap_OLD.c #1
if ( a->memflags & MEMF_populate_on_demand ) { - if ( guest_physmap_mark_populate_on_demand(d, gpfn, + if ( a->extent_order > MAX_ORDER || + guest_physmap_mark_populate_on_demand(d, gpfn, a->extent_order) < 0 ) goto out; }
.\cloneFuncs\totalClone\Type-1\CVE-2012-5515_before_1mo_1350488633_populate_physmap.c
16
17
18
19
20
21
22
23
24
25
{ if ( hypercall_preempt_check() ) { a->preempted = 1; goto out; } if ( unlikely(__copy_from_guest_offset(&gpfn, a->extent_list, i, 1)) ) goto out;
+ show +
26
27
28
29
30
31
if ( a->memflags & MEMF_populate_on_demand ) { if ( guest_physmap_mark_populate_on_demand(d, gpfn, a->extent_order) < 0 ) goto out; }
+ show +
32
33
34
35
36
37
38
39
40
41
else { page = alloc_domheap_pages(d, a->extent_order, a->memflags); if ( unlikely(page == NULL) ) { if ( !opt_tmem || (a->extent_order != 0) ) gdprintk(XENLOG_INFO, "Could not allocate order=%d extent:" " id=%d memflags=%x (%ld of %d)\n", a->extent_order, d->domain_id, a->memflags, i, a->nr_extents);
.\cloneFuncs\totalClone\Type-2\CVE-2012-5515_after_1mo_1357898839_populate_physmap.c
17
18
19
20
21
22
23
24
25
26
{ if ( hypercall_preempt_check() ) { a->preempted = 1; goto out; } if ( unlikely(__copy_from_guest_offset(&gpfn, a->extent_list, i, 1)) ) goto out;
+ show +
27
28
29
30
31
32
if ( a->memflags & MEMF_populate_on_demand ) { if ( guest_physmap_mark_populate_on_demand(d, gpfn, a->extent_order) < 0 ) goto out; }
+ show +
33
34
35
36
37
38
39
40
41
42
else { page = alloc_domheap_pages(d, a->extent_order, a->memflags); if ( unlikely(page == NULL) ) { if ( !opt_tmem || (a->extent_order != 0) ) gdprintk(XENLOG_INFO, "Could not allocate order=%d extent:" " id=%d memflags=%x (%ld of %d)\n", a->extent_order, d->domain_id, a->memflags, i, a->nr_extents);

[xen_CVE-2013-1952_1367507338_set_msi_source_id.diff] set_msi_source_id_OLD.c #1
{ unsigned int sq; + case DEV_TYPE_PCIe_ENDPOINT: case DEV_TYPE_PCIe_BRIDGE: case DEV_TYPE_PCIe2PCI_BRIDGE: - case DEV_TYPE_LEGACY_PCI_BRIDGE: - break; - - case DEV_TYPE_PCIe_ENDPOINT: switch ( pdev->phantom_stride ) { case 1: sq = SQ_13_IGNORE_3; break;
.\cloneFuncs\totalClone\Type-1\CVE-2012-5634_after_1mo_1365677226_set_msi_source_id.c
4
5
6
7
8
9
10
11
12
13
u8 bus, devfn, secbus; int ret; if ( !pdev || !ire ) return; seg = pdev->seg; bus = pdev->bus; devfn = pdev->devfn; switch ( pdev->type )
+ show +
14
15
16
17
18
19
20
21
22
23
24
25
{ unsigned int sq; case DEV_TYPE_PCIe_BRIDGE: case DEV_TYPE_PCIe2PCI_BRIDGE: case DEV_TYPE_LEGACY_PCI_BRIDGE: break; case DEV_TYPE_PCIe_ENDPOINT: switch ( pdev->phantom_stride ) { case 1: sq = SQ_13_IGNORE_3; break;
+ show +
26
27
28
29
30
31
32
33
34
35
case 2: sq = SQ_13_IGNORE_2; break; case 4: sq = SQ_13_IGNORE_1; break; default: sq = SQ_ALL_16; break; } set_ire_sid(ire, SVT_VERIFY_SID_SQ, sq, PCI_BDF2(bus, devfn)); break; case DEV_TYPE_PCI: ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); if ( ret == 0 ) /* integrated PCI device */
.\cloneFuncs\totalClone\Type-1\CVE-2012-5634_before_imd_1357559812_set_msi_source_id.c
4
5
6
7
8
9
10
11
12
13
u8 bus, devfn, secbus; int ret; if ( !pdev || !ire ) return; seg = pdev->seg; bus = pdev->bus; devfn = pdev->devfn; switch ( pdev->type )
+ show +
14
15
16
17
18
19
20
21
22
23
24
25
{ unsigned int sq; case DEV_TYPE_PCIe_BRIDGE: case DEV_TYPE_PCIe2PCI_BRIDGE: case DEV_TYPE_LEGACY_PCI_BRIDGE: break; case DEV_TYPE_PCIe_ENDPOINT: switch ( pdev->phantom_stride ) { case 1: sq = SQ_13_IGNORE_3; break;
+ show +
26
27
28
29
30
31
32
33
34
35
case 2: sq = SQ_13_IGNORE_2; break; case 4: sq = SQ_13_IGNORE_1; break; default: sq = SQ_ALL_16; break; } set_ire_sid(ire, SVT_VERIFY_SID_SQ, sq, PCI_BDF2(bus, devfn)); break; case DEV_TYPE_PCI: ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); if ( ret == 0 ) /* integrated PCI device */

[xen_CVE-2013-1952_1367507338_set_msi_source_id.diff] set_msi_source_id_OLD.c #2
break; case DEV_TYPE_PCI: + case DEV_TYPE_LEGACY_PCI_BRIDGE: + case DEV_TYPE_PCI2PCIe_BRIDGE: ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); if ( ret == 0 ) /* integrated PCI device */ {
.\cloneFuncs\totalClone\Type-1\CVE-2012-5634_after_1mo_1365677226_set_msi_source_id.c
21
22
23
24
25
26
27
28
29
30
case DEV_TYPE_PCIe_ENDPOINT: switch ( pdev->phantom_stride ) { case 1: sq = SQ_13_IGNORE_3; break; case 2: sq = SQ_13_IGNORE_2; break; case 4: sq = SQ_13_IGNORE_1; break; default: sq = SQ_ALL_16; break; } set_ire_sid(ire, SVT_VERIFY_SID_SQ, sq, PCI_BDF2(bus, devfn));
+ show +
31
32
33
34
35
36
break; case DEV_TYPE_PCI: ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); if ( ret == 0 ) /* integrated PCI device */ {
+ show +
37
38
39
40
41
42
43
44
45
46
set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); } else if ( ret == 1 ) /* find upstream bridge */ { if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, (bus << 8) | pdev->bus); else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
.\cloneFuncs\totalClone\Type-1\CVE-2012-5634_before_imd_1357559812_set_msi_source_id.c
21
22
23
24
25
26
27
28
29
30
case DEV_TYPE_PCIe_ENDPOINT: switch ( pdev->phantom_stride ) { case 1: sq = SQ_13_IGNORE_3; break; case 2: sq = SQ_13_IGNORE_2; break; case 4: sq = SQ_13_IGNORE_1; break; default: sq = SQ_ALL_16; break; } set_ire_sid(ire, SVT_VERIFY_SID_SQ, sq, PCI_BDF2(bus, devfn));
+ show +
31
32
33
34
35
36
break; case DEV_TYPE_PCI: ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); if ( ret == 0 ) /* integrated PCI device */ {
+ show +
37
38
39
40
41
42
43
44
45
46
set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); } else if ( ret == 1 ) /* find upstream bridge */ { if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, (bus << 8) | pdev->bus); else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
.\cloneFuncs\totalClone\Type-3\CVE-2012-5634_before_1mo_1351872930_set_msi_source_id.c
14
15
16
17
18
19
20
21
22
23
type = pdev_type(seg, bus, devfn); switch ( type ) { case DEV_TYPE_PCIe_BRIDGE: case DEV_TYPE_PCIe2PCI_BRIDGE: case DEV_TYPE_LEGACY_PCI_BRIDGE: break; case DEV_TYPE_PCIe_ENDPOINT: set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn));
+ show +
24
25
26
27
28
29
break; case DEV_TYPE_PCI: ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); if ( ret == 0 ) /* integrated PCI device */ {
+ show +
30
31
32
33
34
35
36
37
38
39
set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); } else if ( ret == 1 ) /* find upstream bridge */ { if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, (bus << 8) | pdev->bus); else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,

[xen_CVE-2012-5634_1357748006_set_msi_source_id.diff] set_msi_source_id_OLD.c #1
set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, (bus << 8) | pdev->bus); else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) - set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); } break;
.\cloneFuncs\totalClone\Type-1\CVE-2012-5634_before_imd_1357559812_set_msi_source_id.c
33
34
35
36
37
38
39
40
41
42
case DEV_TYPE_PCI: ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); if ( ret == 0 ) /* integrated PCI device */ { set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); } else if ( ret == 1 ) /* find upstream bridge */ { if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE )
+ show +
43
44
45
46
47
48
49
set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, (bus << 8) | pdev->bus); else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, PCI_BDF2(bus, devfn)); } break;
+ show +
50
51
52
53
54
55
56
57
58
default: dprintk(XENLOG_WARNING VTDPREFIX, "d%d: unknown(%u): %04x:%02x:%02x.%u\n", pdev->domain->domain_id, pdev->type, seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn)); break; } }
.\cloneFuncs\totalClone\Type-3\CVE-2012-5634_before_1mo_1351872930_set_msi_source_id.c
26
27
28
29
30
31
32
33
34
35
case DEV_TYPE_PCI: ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); if ( ret == 0 ) /* integrated PCI device */ { set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); } else if ( ret == 1 ) /* find upstream bridge */ { if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE )
+ show +
36
37
38
39
40
41
42
set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, (bus << 8) | pdev->bus); else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, PCI_BDF2(bus, devfn)); } break;
+ show +
43
44
45
46
47
48
49
50
51
default: dprintk(XENLOG_WARNING VTDPREFIX, "d%d: unknown(%u): %04x:%02x:%02x.%u\n", pdev->domain->domain_id, type, seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn)); break; } }

[ffmpeg_CVE-2012-6618_1389617227_av_probe_input_buffer.diff] av_probe_input_buffer_OLD.c #1
for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; - int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; /* read probe data */ if ((ret = av_reallocp(&buf, probe_size + AVPROBE_PADDING_SIZE)) < 0) return ret; - if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { + if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) { /* fail if error was not end of file, otherwise, lower score */ if (ret != AVERROR_EOF) { av_free(buf);
.\cloneFuncs\totalClone\Type-1\CVE-2012-6618_before_imd_1389610619_av_probe_input_buffer.c
13
14
15
16
17
18
19
20
21
22
} else if (max_probe_size < PROBE_BUF_MIN) { return AVERROR(EINVAL); } if (offset >= max_probe_size) { return AVERROR(EINVAL); } avio_skip(pb, offset); max_probe_size -= offset;
+ show +
23
24
25
26
27
28
29
30
31
32
33
34
for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; /* read probe data */ if ((ret = av_reallocp(&buf, probe_size + AVPROBE_PADDING_SIZE)) < 0) return ret; if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { /* fail if error was not end of file, otherwise, lower score */ if (ret != AVERROR_EOF) { av_free(buf);
+ show +
35
36
37
38
39
40
41
42
43
44
return ret; } score = 0; ret = 0; /* error was end of file, nothing read */ } pd.buf_size += ret; pd.buf = buf; memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE);

[linux_CVE-2013-0231_1360164638_xen_pcibk_enable_msi.diff] xen_pcibk_enable_msi_OLD.c #1
struct pci_dev *dev, struct xen_pci_op *op) { struct xen_pcibk_dev_data *dev_data; - int otherend = pdev->xdev->otherend_id; int status; if (unlikely(verbose_request))
.\cloneFuncs\totalClone\Type-1\CVE-2013-0231_before_1mo_1316636531_xen_pcibk_enable_msi.c
1
2
static int xen_pcibk_enable_msi(struct xen_pcibk_device *pdev,
+ show +
3
4
5
6
7
8
9
struct pci_dev *dev, struct xen_pci_op *op) { struct xen_pcibk_dev_data *dev_data; int otherend = pdev->xdev->otherend_id; int status; if (unlikely(verbose_request))
+ show +
10
11
12
13
14
15
16
17
18
19
printk(KERN_DEBUG DRV_NAME ": %s: enable MSI\n", pci_name(dev)); status = pci_enable_msi(dev); if (status) { printk(KERN_ERR "error enable msi for guest %x status %x\n", otherend, status); op->value = 0; return XEN_PCI_ERR_op_failed; }

[linux_CVE-2013-0231_1360164638_xen_pcibk_enable_msi.diff] xen_pcibk_enable_msi_OLD.c #2
status = pci_enable_msi(dev); if (status) { - printk(KERN_ERR "error enable msi for guest %x status %x\n", - otherend, status); + pr_warn_ratelimited(DRV_NAME ": %s: error enabling MSI for guest %u: err %d\n", + pci_name(dev), pdev->xdev->otherend_id, + status); op->value = 0; return XEN_PCI_ERR_op_failed; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-0231_before_1mo_1316636531_xen_pcibk_enable_msi.c
2
3
4
5
6
7
8
9
10
11
int xen_pcibk_enable_msi(struct xen_pcibk_device *pdev, struct pci_dev *dev, struct xen_pci_op *op) { struct xen_pcibk_dev_data *dev_data; int otherend = pdev->xdev->otherend_id; int status; if (unlikely(verbose_request)) printk(KERN_DEBUG DRV_NAME ": %s: enable MSI\n", pci_name(dev));
+ show +
12
13
14
15
16
17
18
19
status = pci_enable_msi(dev); if (status) { printk(KERN_ERR "error enable msi for guest %x status %x\n", otherend, status); op->value = 0; return XEN_PCI_ERR_op_failed; }
+ show +
20
21
22
23
24
25
26
27
28
29
/* The value the guest needs is actually the IDT vector, not the * the local domain's IRQ number. */ op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0; if (unlikely(verbose_request)) printk(KERN_DEBUG DRV_NAME ": %s: MSI: %d\n", pci_name(dev), op->value); dev_data = pci_get_drvdata(dev);

[qemu_CVE-2013-0249_1360743934_curl_init_state.diff] curl_init_state_OLD.c #1
/* Restrict supported protocols to avoid security issues in the more * obscure protocols. For example, do not allow POP3/SMTP/IMAP see * CVE-2013-0249. + * + * Restricting protocols is only supported from 7.19.4 upwards. */ +#if LIBCURL_VERSION_NUM >= 0x071304 curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS); curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS); +#endif #ifdef DEBUG_VERBOSE curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);
.\cloneFuncs\totalClone\Type-1\CVE-2013-0249_before_imd_1360309750_curl_init_state.c
31
32
33
34
35
36
37
38
39
40
curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, 5); curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, (void *)curl_read_cb); curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state); curl_easy_setopt(state->curl, CURLOPT_PRIVATE, (void *)state); curl_easy_setopt(state->curl, CURLOPT_AUTOREFERER, 1); curl_easy_setopt(state->curl, CURLOPT_FOLLOWLOCATION, 1); curl_easy_setopt(state->curl, CURLOPT_NOSIGNAL, 1); curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg); curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1);
+ show +
41
42
43
44
45
46
47
48
49
/* Restrict supported protocols to avoid security issues in the more * obscure protocols. For example, do not allow POP3/SMTP/IMAP see * CVE-2013-0249. */ curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS); curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS); #ifdef DEBUG_VERBOSE curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);
+ show +
50
51
52
53
54
55
56
57
#endif has_curl: state->s = s; return state; }

[ffmpeg_CVE-2013-0845_1386527066_read_frame_data.diff] read_frame_data_OLD.c #1
for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; + if (bd.block_length <= 0) { + av_log(ctx->avctx, AV_LOG_WARNING, + "Invalid block length %d in channel data!\n", bd.block_length); + continue; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c;
.\cloneFuncs\totalClone\Type-1\CVE-2013-0845_before_1mo_1380833873_read_frame_data.c
68
69
70
71
72
73
74
75
76
77
return AVERROR_INVALIDDATA; } memset(reverted_channels, 0, sizeof(*reverted_channels) * avctx->channels); bd.ra_block = ra_frame; bd.prev_raw_samples = ctx->prev_raw_samples; get_block_sizes(ctx, div_blocks, &bs_info);
+ show +
78
79
80
81
82
for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c;
+ show +
83
84
85
86
87
88
89
90
91
92
bd.shift_lsbs = ctx->shift_lsbs + c; bd.opt_order = ctx->opt_order + c; bd.store_prev_samples = ctx->store_prev_samples + c; bd.use_ltp = ctx->use_ltp + c; bd.ltp_lag = ctx->ltp_lag + c; bd.ltp_gain = ctx->ltp_gain[c]; bd.lpc_cof = ctx->lpc_cof[c]; bd.quant_cof = ctx->quant_cof[c]; bd.raw_samples = ctx->raw_samples[c] + offset; bd.raw_other = NULL;
.\cloneFuncs\totalClone\Type-3\CVE-2013-0845_before_6mo_1368623772_read_frame_data.c
66
67
68
69
70
71
72
73
74
75
return -1; } memset(reverted_channels, 0, sizeof(*reverted_channels) * avctx->channels); bd.ra_block = ra_frame; bd.prev_raw_samples = ctx->prev_raw_samples; get_block_sizes(ctx, div_blocks, &bs_info);
+ show +
76
77
78
79
80
for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c;
+ show +
81
82
83
84
85
86
87
88
89
90
bd.shift_lsbs = ctx->shift_lsbs + c; bd.opt_order = ctx->opt_order + c; bd.store_prev_samples = ctx->store_prev_samples + c; bd.use_ltp = ctx->use_ltp + c; bd.ltp_lag = ctx->ltp_lag + c; bd.ltp_gain = ctx->ltp_gain[c]; bd.lpc_cof = ctx->lpc_cof[c]; bd.quant_cof = ctx->quant_cof[c]; bd.raw_samples = ctx->raw_samples[c] + offset; bd.raw_other = NULL;

[ffmpeg_CVE-2013-0848_1407023673_decode_init.diff] decode_init_OLD.c #1
return AVERROR_INVALIDDATA; } + if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && + avctx->width % 4) { + av_log(avctx, AV_LOG_ERROR, "width must be multiple of 4 " + "for this combination of colorspace and predictor type.\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_huffyuv_alloc_temp(s)) < 0) return ret;
.\cloneFuncs\totalClone\Type-1\CVE-2013-0848_after_1mo_1435607977_decode_init.c
86
87
88
89
90
91
92
93
94
95
avctx->pix_fmt = AV_PIX_FMT_BGR24; break; default: return AVERROR_INVALIDDATA; } if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && avctx->width % 4) { av_log(avctx, AV_LOG_ERROR, "width must be multiple of 4 " "for this combination of colorspace and predictor type.\n");
+ show +
96
97
98
99
100
return AVERROR_INVALIDDATA; } if ((ret = ff_huffyuv_alloc_temp(s)) < 0) return ret;
+ show +
101
102
103
return 0; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-0848_before_imd_1407093550_decode_init.c
79
80
81
82
83
84
85
86
87
88
avctx->pix_fmt = AV_PIX_FMT_YUV422P; break; case 24: case 32: if (s->bgr32) avctx->pix_fmt = AV_PIX_FMT_RGB32; else avctx->pix_fmt = AV_PIX_FMT_BGR24; break; default:
+ show +
89
90
91
92
93
return AVERROR_INVALIDDATA; } if ((ret = ff_huffyuv_alloc_temp(s)) < 0) return ret;
+ show +
94
95
96
return 0; }

[ffmpeg_CVE-2013-0852_1406770279_parse_object_segment.diff] parse_object_segment_OLD.c #1
/* Decode rle bitmap length, stored size includes width/height data */ rle_bitmap_len = bytestream_get_be24(&buf) - 2*2; + if (buf_size > rle_bitmap_len) { + av_log(avctx, AV_LOG_ERROR, + "Buffer dimension %d larger than the expected RLE data %d\n", + buf_size, rle_bitmap_len); + return AVERROR_INVALIDDATA; + } + /* Get bitmap dimensions from data */ width = bytestream_get_be16(&buf); height = bytestream_get_be16(&buf);
.\cloneFuncs\totalClone\Type-1\CVE-2013-0852_before_imd_1403123916_parse_object_segment.c
38
39
40
41
42
43
44
45
46
47
object->rle_data_len += buf_size; object->rle_remaining_len -= buf_size; return 0; } if (buf_size <= 7) return AVERROR_INVALIDDATA; buf_size -= 7;
+ show +
48
49
50
51
52
53
/* Decode rle bitmap length, stored size includes width/height data */ rle_bitmap_len = bytestream_get_be24(&buf) - 2*2; /* Get bitmap dimensions from data */ width = bytestream_get_be16(&buf); height = bytestream_get_be16(&buf);
+ show +
54
55
56
57
58
59
60
61
62
63
/* Make sure the bitmap is not too large */ if (avctx->width < width || avctx->height < height) { av_log(avctx, AV_LOG_ERROR, "Bitmap dimensions larger than video.\n"); return AVERROR_INVALIDDATA; } object->w = width; object->h = height;

[ffmpeg_CVE-2013-0868_1627967147_dnxhd_init_vlc.diff] dnxhd_init_vlc_OLD.c #1
static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) { + int ret; if (cid != ctx->cid) { const CIDEntry *cid_table = ff_dnxhd_get_cid_table(cid);
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_1mo_1614246626_dnxhd_init_vlc.c
+ show +
1
2
3
4
static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) { if (cid != ctx->cid) { const CIDEntry *cid_table = ff_dnxhd_get_cid_table(cid);
+ show +
5
6
7
8
9
10
11
12
13
14
if (!cid_table) { av_log(ctx->avctx, AV_LOG_ERROR, "unsupported cid %"PRIu32"\n", cid); return AVERROR(ENOSYS); } if (cid_table->bit_depth != bitdepth && cid_table->bit_depth != DNXHD_VARIABLE) { av_log(ctx->avctx, AV_LOG_ERROR, "bit depth mismatches %d %d\n", cid_table->bit_depth, bitdepth); return AVERROR_INVALIDDATA;

[libav_CVE-2013-0868_1407093550_decode_frame.diff] decode_frame_OLD.c #1
int fake_ystride, fake_ustride, fake_vstride; ThreadFrame frame = { .f = data }; AVFrame *const p = data; - int table_size = 0; + int table_size = 0, ret; av_fast_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size,
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_imd_1407090140_decode_frame.c
1
2
3
4
5
6
7
8
9
static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; HYuvContext *s = avctx->priv_data; const int width = s->width; const int width2 = s->width >> 1; const int height = s->height;
+ show +
10
11
12
13
14
15
16
int fake_ystride, fake_ustride, fake_vstride; ThreadFrame frame = { .f = data }; AVFrame *const p = data; int table_size = 0; av_fast_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size,
+ show +
17
18
19
20
21
22
23
24
25
26
buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!s->bitstream_buffer) return AVERROR(ENOMEM); memset(s->bitstream_buffer + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); s->bdsp.bswap_buf((uint32_t *) s->bitstream_buffer, (const uint32_t *) buf, buf_size / 4); if (ff_thread_get_buffer(avctx, &frame, 0) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
.\cloneFuncs\totalClone\Type-3\CVE-2013-0868_before_1mo_1392310625_decode_frame.c
1
2
3
4
5
6
7
8
9
static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; HYuvContext *s = avctx->priv_data; const int width = s->width; const int width2 = s->width>>1; const int height = s->height;
+ show +
10
11
12
13
14
15
16
int fake_ystride, fake_ustride, fake_vstride; ThreadFrame frame = { .f = data }; AVFrame * const p = data; int table_size = 0; av_fast_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size,
+ show +
17
18
19
20
21
22
23
24
25
26
buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!s->bitstream_buffer) return AVERROR(ENOMEM); memset(s->bitstream_buffer + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); s->bdsp.bswap_buf((uint32_t *) s->bitstream_buffer, (const uint32_t *) buf, buf_size / 4); if (ff_thread_get_buffer(avctx, &frame, 0) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
.\cloneFuncs\totalClone\Type-4\CVE-2013-0868_before_6mo_1380833873_decode_frame.c
1
2
3
4
5
6
7
8
9
static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; HYuvContext *s = avctx->priv_data; const int width = s->width; const int width2 = s->width>>1; const int height = s->height;
+ show +
10
11
12
13
14
15
16
int fake_ystride, fake_ustride, fake_vstride; ThreadFrame frame = { .f = data }; AVFrame * const p = data; int table_size = 0; av_fast_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size,
+ show +
17
18
19
20
21
22
23
24
25
26
buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!s->bitstream_buffer) return AVERROR(ENOMEM); memset(s->bitstream_buffer + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); s->dsp.bswap_buf((uint32_t*)s->bitstream_buffer, (const uint32_t*)buf, buf_size / 4); if (ff_thread_get_buffer(avctx, &frame, 0) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");

[libav_CVE-2013-0868_1407093550_decode_frame.diff] decode_frame_OLD.c #2
s->bdsp.bswap_buf((uint32_t *) s->bitstream_buffer, (const uint32_t *) buf, buf_size / 4); - if (ff_thread_get_buffer(avctx, &frame, 0) < 0) { + if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; + return ret; } if (s->context) { table_size = read_huffman_tables(s, s->bitstream_buffer, buf_size); if (table_size < 0) - return -1; + return table_size; } if ((unsigned) (buf_size - table_size) >= INT_MAX / 8) return AVERROR_INVALIDDATA; - init_get_bits(&s->gb, s->bitstream_buffer + table_size, - (buf_size - table_size) * 8); + if ((ret = init_get_bits(&s->gb, s->bitstream_buffer + table_size, + (buf_size - table_size) * 8)) < 0) + return ret; fake_ystride = s->interlaced ? p->linesize[0] * 2 : p->linesize[0]; fake_ustride = s->interlaced ? p->linesize[1] * 2 : p->linesize[1];
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_imd_1407090140_decode_frame.c
12
13
14
15
16
17
18
19
20
21
AVFrame *const p = data; int table_size = 0; av_fast_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size, buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!s->bitstream_buffer) return AVERROR(ENOMEM); memset(s->bitstream_buffer + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+ show +
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
s->bdsp.bswap_buf((uint32_t *) s->bitstream_buffer, (const uint32_t *) buf, buf_size / 4); if (ff_thread_get_buffer(avctx, &frame, 0) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; } if (s->context) { table_size = read_huffman_tables(s, s->bitstream_buffer, buf_size); if (table_size < 0) return -1; } if ((unsigned) (buf_size - table_size) >= INT_MAX / 8) return AVERROR_INVALIDDATA; init_get_bits(&s->gb, s->bitstream_buffer + table_size, (buf_size - table_size) * 8); fake_ystride = s->interlaced ? p->linesize[0] * 2 : p->linesize[0]; fake_ustride = s->interlaced ? p->linesize[1] * 2 : p->linesize[1];
+ show +
44
45
46
47
48
49
50
51
52
53
fake_vstride = s->interlaced ? p->linesize[2] * 2 : p->linesize[2]; s->last_slice_end = 0; if (s->bitstream_bpp < 24) { int y, cy; int lefty, leftu, leftv; int lefttopy, lefttopu, lefttopv; if (s->yuy2) {

[libav_CVE-2013-0868_1407093550_decode_init.diff] decode_init_OLD.c #1
static av_cold int decode_init(AVCodecContext *avctx) { HYuvContext *s = avctx->priv_data; + int ret; ff_huffyuv_common_init(avctx); ff_huffyuvdsp_init(&s->hdsp);
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_imd_1407090140_decode_init.c
+ show +
1
2
3
4
5
6
static av_cold int decode_init(AVCodecContext *avctx) { HYuvContext *s = avctx->priv_data; ff_huffyuv_common_init(avctx); ff_huffyuvdsp_init(&s->hdsp);
+ show +
7
8
9
10
11
12
13
14
15
16
memset(s->vlc, 0, 3 * sizeof(VLC)); s->interlaced = s->height > 288; s->bgr32 = 1; if (avctx->extradata_size) { if ((avctx->bits_per_coded_sample & 7) && avctx->bits_per_coded_sample != 12) s->version = 1; // do such files exist at all? else
.\cloneFuncs\totalClone\Type-3\CVE-2013-0868_before_1mo_1392310625_decode_init.c
+ show +
1
2
3
4
5
6
static av_cold int decode_init(AVCodecContext *avctx) { HYuvContext *s = avctx->priv_data; ff_huffyuv_common_init(avctx); ff_huffyuvdsp_init(&s->hdsp);
+ show +
7
8
9
10
11
12
13
14
15
16
memset(s->vlc, 0, 3 * sizeof(VLC)); s->interlaced = s->height > 288; s->bgr32 = 1; if (avctx->extradata_size) { if ((avctx->bits_per_coded_sample & 7) && avctx->bits_per_coded_sample != 12) s->version = 1; // do such files exist at all?

[libav_CVE-2013-0868_1407093550_decode_init.diff] decode_init_OLD.c #2
s->interlaced = (interlace == 1) ? 1 : (interlace == 2) ? 0 : s->interlaced; s->context = avctx->extradata[2] & 0x40 ? 1 : 0; - if (read_huffman_tables(s, avctx->extradata + 4, - avctx->extradata_size - 4) < 0) - return -1; + if ((ret = read_huffman_tables(s, avctx->extradata + 4, + avctx->extradata_size - 4)) < 0) + return ret; } else { switch (avctx->bits_per_coded_sample & 7) { case 1:
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_imd_1407090140_decode_init.c
24
25
26
27
28
29
30
31
32
33
if (avctx->extradata_size < 4) return AVERROR_INVALIDDATA; method = avctx->extradata[0]; s->decorrelate = method & 64 ? 1 : 0; s->predictor = method & 63; s->bitstream_bpp = avctx->extradata[1]; if (s->bitstream_bpp == 0) s->bitstream_bpp = avctx->bits_per_coded_sample & ~7; interlace = (avctx->extradata[2] & 0x30) >> 4;
+ show +
34
35
36
37
38
39
40
41
42
s->interlaced = (interlace == 1) ? 1 : (interlace == 2) ? 0 : s->interlaced; s->context = avctx->extradata[2] & 0x40 ? 1 : 0; if (read_huffman_tables(s, avctx->extradata + 4, avctx->extradata_size - 4) < 0) return -1; } else { switch (avctx->bits_per_coded_sample & 7) { case 1:
+ show +
43
44
45
46
47
48
49
50
51
52
s->predictor = LEFT; s->decorrelate = 0; break; case 2: s->predictor = LEFT; s->decorrelate = 1; break; case 3: s->predictor = PLANE; s->decorrelate = avctx->bits_per_coded_sample >= 24;

[libav_CVE-2013-0868_1407093550_decode_init.diff] decode_init_OLD.c #3
s->bitstream_bpp = avctx->bits_per_coded_sample & ~7; s->context = 0; - if (read_old_huffman_tables(s) < 0) - return -1; + if ((ret = read_old_huffman_tables(s)) < 0) + return ret; } switch (s->bitstream_bpp) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_imd_1407090140_decode_init.c
53
54
55
56
57
58
59
60
61
62
break; case 4: s->predictor = MEDIAN; s->decorrelate = 0; break; default: s->predictor = LEFT; // OLD s->decorrelate = 0; break; }
+ show +
63
64
65
66
67
68
69
70
s->bitstream_bpp = avctx->bits_per_coded_sample & ~7; s->context = 0; if (read_old_huffman_tables(s) < 0) return -1; } switch (s->bitstream_bpp) {
+ show +
71
72
73
74
75
76
77
78
79
80
case 12: avctx->pix_fmt = AV_PIX_FMT_YUV420P; break; case 16: if (s->yuy2) avctx->pix_fmt = AV_PIX_FMT_YUYV422; else avctx->pix_fmt = AV_PIX_FMT_YUV422P; break; case 24:
.\cloneFuncs\totalClone\Type-2\CVE-2013-0848_before_6mo_1380833873_decode_init.c
53
54
55
56
57
58
59
60
61
62
break; case 4: s->predictor = MEDIAN; s->decorrelate = 0; break; default: s->predictor = LEFT; //OLD s->decorrelate = 0; break; }
+ show +
63
64
65
66
67
68
69
70
s->bitstream_bpp = avctx->bits_per_coded_sample & ~7; s->context = 0; if (read_old_huffman_tables(s) < 0) return -1; } switch (s->bitstream_bpp) {
+ show +
71
72
73
74
75
76
77
78
79
80
case 12: avctx->pix_fmt = AV_PIX_FMT_YUV420P; break; case 16: if (s->yuy2) { avctx->pix_fmt = AV_PIX_FMT_YUYV422; } else { avctx->pix_fmt = AV_PIX_FMT_YUV422P; } break;
.\cloneFuncs\totalClone\Type-3\CVE-2013-0868_before_1mo_1392310625_decode_init.c
54
55
56
57
58
59
60
61
62
63
break; case 4: s->predictor = MEDIAN; s->decorrelate = 0; break; default: s->predictor = LEFT; //OLD s->decorrelate = 0; break; }
+ show +
64
65
66
67
68
69
70
71
s->bitstream_bpp = avctx->bits_per_coded_sample & ~7; s->context = 0; if (read_old_huffman_tables(s) < 0) return -1; } switch (s->bitstream_bpp) {
+ show +
72
73
74
75
76
77
78
79
80
81
case 12: avctx->pix_fmt = AV_PIX_FMT_YUV420P; break; case 16: if (s->yuy2) { avctx->pix_fmt = AV_PIX_FMT_YUYV422; } else { avctx->pix_fmt = AV_PIX_FMT_YUV422P; } break;

[libav_CVE-2013-0868_1407093550_generate_joint_tables.diff] generate_joint_tables_OLD.c #1
-static void generate_joint_tables(HYuvContext *s) +static int generate_joint_tables(HYuvContext *s) { uint16_t symbols[1 << VLC_BITS]; uint16_t bits[1 << VLC_BITS]; uint8_t len[1 << VLC_BITS]; + int ret; + if (s->bitstream_bpp < 24) { int p, i, y, u; for (p = 0; p < 3; p++) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_imd_1407090140_generate_joint_tables.c
+ show +
1
2
3
4
5
6
7
8
static void generate_joint_tables(HYuvContext *s) { uint16_t symbols[1 << VLC_BITS]; uint16_t bits[1 << VLC_BITS]; uint8_t len[1 << VLC_BITS]; if (s->bitstream_bpp < 24) { int p, i, y, u; for (p = 0; p < 3; p++) {
+ show +
9
10
11
12
13
14
15
16
17
18
for (i = y = 0; y < 256; y++) { int len0 = s->len[0][y]; int limit = VLC_BITS - len0; if (limit <= 0) continue; for (u = 0; u < 256; u++) { int len1 = s->len[p][u]; if (len1 > limit) continue; len[i] = len0 + len1;
.\cloneFuncs\totalClone\Type-2\CVE-2013-0868_before_1mo_1392310625_generate_joint_tables.c
+ show +
1
2
3
4
5
6
7
8
static void generate_joint_tables(HYuvContext *s) { uint16_t symbols[1 << VLC_BITS]; uint16_t bits[1 << VLC_BITS]; uint8_t len[1 << VLC_BITS]; if (s->bitstream_bpp < 24) { int p, i, y, u; for (p = 0; p < 3; p++) {
+ show +
9
10
11
12
13
14
15
16
17
18
for (i = y = 0; y < 256; y++) { int len0 = s->len[0][y]; int limit = VLC_BITS - len0; if(limit <= 0) continue; for (u = 0; u < 256; u++) { int len1 = s->len[p][u]; if (len1 > limit) continue; len[i] = len0 + len1;

[libav_CVE-2013-0868_1407093550_generate_joint_tables.diff] generate_joint_tables_OLD.c #2
} } ff_free_vlc(&s->vlc[3 + p]); - ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1, - bits, 2, 2, symbols, 2, 2, 0); + if ((ret = ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1, + bits, 2, 2, symbols, 2, 2, 0)) < 0) + return ret; } } else { uint8_t (*map)[4] = (uint8_t(*)[4]) s->pix_bgr_map;
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_imd_1407090140_generate_joint_tables.c
13
14
15
16
17
18
19
20
21
22
continue; for (u = 0; u < 256; u++) { int len1 = s->len[p][u]; if (len1 > limit) continue; len[i] = len0 + len1; bits[i] = (s->bits[0][y] << len1) + s->bits[p][u]; symbols[i] = (y << 8) + u; if (symbols[i] != 0xffff) // reserved to mean "invalid" i++;
+ show +
23
24
25
26
27
28
29
30
} } ff_free_vlc(&s->vlc[3 + p]); ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1, bits, 2, 2, symbols, 2, 2, 0); } } else { uint8_t (*map)[4] = (uint8_t(*)[4]) s->pix_bgr_map;
+ show +
31
32
33
34
35
36
37
38
39
40
int i, b, g, r, code; int p0 = s->decorrelate; int p1 = !s->decorrelate; /* Restrict the range to +/-16 because that's pretty much guaranteed * to cover all the combinations that fit in 11 bits total, and it * does not matter if we miss a few rare codes. */ for (i = 0, g = -16; g < 16; g++) { int len0 = s->len[p0][g & 255]; int limit0 = VLC_BITS - len0; if (limit0 < 2)
.\cloneFuncs\totalClone\Type-2\CVE-2013-0868_before_1mo_1392310625_generate_joint_tables.c
13
14
15
16
17
18
19
20
21
22
continue; for (u = 0; u < 256; u++) { int len1 = s->len[p][u]; if (len1 > limit) continue; len[i] = len0 + len1; bits[i] = (s->bits[0][y] << len1) + s->bits[p][u]; symbols[i] = (y << 8) + u; if(symbols[i] != 0xffff) // reserved to mean "invalid" i++;
+ show +
23
24
25
26
27
28
29
30
} } ff_free_vlc(&s->vlc[3 + p]); ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1, bits, 2, 2, symbols, 2, 2, 0); } } else { uint8_t (*map)[4] = (uint8_t(*)[4])s->pix_bgr_map;
+ show +
31
32
33
34
35
36
37
38
39
40
int i, b, g, r, code; int p0 = s->decorrelate; int p1 = !s->decorrelate; // restrict the range to +/-16 because that's pretty much guaranteed to // cover all the combinations that fit in 11 bits total, and it doesn't // matter if we miss a few rare codes. for (i = 0, g = -16; g < 16; g++) { int len0 = s->len[p0][g & 255]; int limit0 = VLC_BITS - len0; if (limit0 < 2)

[libav_CVE-2013-0868_1407093550_read_old_huffman_tables.diff] read_old_huffman_tables_OLD.c #1
static int read_old_huffman_tables(HYuvContext *s) { GetBitContext gb; - int i; + int i, ret; - init_get_bits(&gb, classic_shift_luma, - classic_shift_luma_table_size * 8); - if (read_len_table(s->len[0], &gb) < 0) - return -1; - - init_get_bits(&gb, classic_shift_chroma, - classic_shift_chroma_table_size * 8); - if (read_len_table(s->len[1], &gb) < 0) - return -1; + if ((ret = init_get_bits(&gb, classic_shift_luma, + classic_shift_luma_table_size * 8)) < 0) + return ret; + if ((ret = read_len_table(s->len[0], &gb)) < 0) + return ret; + + if ((ret = init_get_bits(&gb, classic_shift_chroma, + classic_shift_chroma_table_size * 8)) < 0) + return ret; + if ((ret = read_len_table(s->len[1], &gb)) < 0) + return ret; for (i = 0; i < 256; i++) s->bits[0][i] = classic_add_luma[i];
.\cloneFuncs\totalClone\Type-1\CVE-2013-0868_before_imd_1407090140_read_old_huffman_tables.c
+ show +
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
static int read_old_huffman_tables(HYuvContext *s) { GetBitContext gb; int i; init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size * 8); if (read_len_table(s->len[0], &gb) < 0) return -1; init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size * 8); if (read_len_table(s->len[1], &gb) < 0) return -1; for (i = 0; i < 256; i++) s->bits[0][i] = classic_add_luma[i];
+ show +
18
19
20
21
22
23
24
25
26
27
for (i = 0; i < 256; i++) s->bits[1][i] = classic_add_chroma[i]; if (s->bitstream_bpp >= 24) { memcpy(s->bits[1], s->bits[0], 256 * sizeof(uint32_t)); memcpy(s->len[1], s->len[0], 256 * sizeof(uint8_t)); } memcpy(s->bits[2], s->bits[1], 256 * sizeof(uint32_t)); memcpy(s->len[2], s->len[1], 256 * sizeof(uint8_t));

[ffmpeg_CVE-2013-0894_1357862052_vorbis_parse_setup_hdr_floors.diff] vorbis_parse_setup_hdr_floors_OLD.c #1
floor_setup->data.t0.order = get_bits(gb, 8); floor_setup->data.t0.rate = get_bits(gb, 16); floor_setup->data.t0.bark_map_size = get_bits(gb, 16); + if (floor_setup->data.t0.bark_map_size == 0) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 bark map size is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * * 2^0 - 1 == 0 */
.\cloneFuncs\totalClone\Type-1\CVE-2013-0894_before_1mo_1352550176_vorbis_parse_setup_hdr_floors.c
95
96
97
98
99
100
101
102
103
104
if (ff_vorbis_ready_floor1_list(vc->avccontext, floor_setup->data.t1.list, floor_setup->data.t1.x_list_dim)) { return AVERROR_INVALIDDATA; } } else if (floor_setup->floor_type == 0) { unsigned max_codebook_dim = 0; floor_setup->decode = vorbis_floor0_decode;
+ show +
105
106
107
108
109
110
floor_setup->data.t0.order = get_bits(gb, 8); floor_setup->data.t0.rate = get_bits(gb, 16); floor_setup->data.t0.bark_map_size = get_bits(gb, 16); floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * * 2^0 - 1 == 0 */
+ show +
111
112
113
114
115
116
117
118
119
120
if (floor_setup->data.t0.amplitude_bits == 0) { av_log(vc->avccontext, AV_LOG_ERROR, "Floor 0 amplitude bits is 0.\n"); return AVERROR_INVALIDDATA; } floor_setup->data.t0.amplitude_offset = get_bits(gb, 8); floor_setup->data.t0.num_books = get_bits(gb, 4) + 1; /* allocate mem for booklist */ floor_setup->data.t0.book_list =

[linux_CVE-2013-0913_1363048305_validate_exec_list.diff] validate_exec_list_OLD.c #1
int count) { int i; + int relocs_total = 0; + int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); for (i = 0; i < count; i++) { char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
.\cloneFuncs\totalClone\Type-1\CVE-2013-0913_before_1mo_1358455515_validate_exec_list.c
1
2
static int validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
+ show +
3
4
5
6
7
8
int count) { int i; for (i = 0; i < count; i++) { char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ show +
9
10
11
12
13
14
15
16
17
18
int length; /* limited by fault_in_pages_readable() */ if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS) return -EINVAL; /* First check for malicious input causing overflow */ if (exec[i].relocation_count > INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) return -EINVAL;
.\cloneFuncs\totalClone\Type-2\CVE-2013-0913_before_6mo_1345832298_validate_exec_list.c
1
2
static int validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
+ show +
3
4
5
6
7
8
int count) { int i; for (i = 0; i < count; i++) { char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ show +
9
10
11
12
13
14
15
16
17
18
int length; /* limited by fault_in_pages_readable() */ /* First check for malicious input causing overflow */ if (exec[i].relocation_count > INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) return -EINVAL; length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry); if (!access_ok(VERIFY_READ, ptr, length))

[linux_CVE-2013-0913_1363048305_validate_exec_list.diff] validate_exec_list_OLD.c #2
if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS) return -EINVAL; - /* First check for malicious input causing overflow */ - if (exec[i].relocation_count > - INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) + /* First check for malicious input causing overflow in + * the worst case where we need to allocate the entire + * relocation tree as a single array. + */ + if (exec[i].relocation_count > relocs_max - relocs_total) return -EINVAL; + relocs_total += exec[i].relocation_count; length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry);
.\cloneFuncs\totalClone\Type-1\CVE-2013-0913_before_1mo_1358455515_validate_exec_list.c
1
2
3
4
5
6
7
8
9
10
static int validate_exec_list(struct drm_i915_gem_exec_object2 *exec, int count) { int i; for (i = 0; i < count; i++) { char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; int length; /* limited by fault_in_pages_readable() */
+ show +
11
12
13
14
15
16
17
18
19
20
if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS) return -EINVAL; /* First check for malicious input causing overflow */ if (exec[i].relocation_count > INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) return -EINVAL; length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry);
+ show +
21
22
23
24
25
26
27
28
29
30
/* we may also need to update the presumed offsets */ if (!access_ok(VERIFY_WRITE, ptr, length)) return -EFAULT; if (fault_in_multipages_readable(ptr, length)) return -EFAULT; } return 0; }

[xen_CVE-2013-1442_1380098485_handle_xsetbv.diff] handle_xsetbv_OLD.c #1
int handle_xsetbv(u32 index, u64 new_bv) { struct vcpu *curr = current; + u64 mask; if ( index != XCR_XFEATURE_ENABLED_MASK ) return -EOPNOTSUPP;
.\cloneFuncs\totalClone\Type-1\CVE-2013-1442_before_1mo_1375720957_handle_xsetbv.c
+ show +
1
2
3
4
5
6
int handle_xsetbv(u32 index, u64 new_bv) { struct vcpu *curr = current; if ( index != XCR_XFEATURE_ENABLED_MASK ) return -EOPNOTSUPP;
+ show +
7
8
9
10
11
12
13
14
15
16
if ( (new_bv & ~xfeature_mask) || !(new_bv & XSTATE_FP) ) return -EINVAL; if ( (new_bv & XSTATE_YMM) && !(new_bv & XSTATE_SSE) ) return -EINVAL; if ( !set_xcr0(new_bv) ) return -EFAULT;

[linux_CVE-2013-1792_1363067071_install_user_keyrings.diff] install_user_keyrings_OLD.c #1
kenter("%p{%u}", user, uid); - if (user->uid_keyring) { + if (user->uid_keyring && user->session_keyring) { kleave(" = 0 [exist]"); return 0; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-1792_before_1mo_1356044754_install_user_keyrings.c
6
7
8
9
10
11
12
13
14
15
key_perm_t user_keyring_perm; char buf[20]; int ret; uid_t uid; user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL; cred = current_cred(); user = cred->user; uid = from_kuid(cred->user_ns, user->uid);
+ show +
16
17
18
19
20
21
kenter("%p{%u}", user, uid); if (user->uid_keyring) { kleave(" = 0 [exist]"); return 0; }
+ show +
22
23
24
25
26
27
28
29
30
31
mutex_lock(&key_user_keyring_mutex); ret = 0; if (!user->uid_keyring) { /* get the UID-specific keyring * - there may be one in existence already as it may have been * pinned by a session, but the user_struct pointing to it * may have been destroyed by setuid */ sprintf(buf, "_uid.%u", uid);

[linux_CVE-2013-1796_1363019692_kvm_set_msr_common.diff] kvm_set_msr_common_OLD.c #1
/* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); + /* Check that the address is 32-byte aligned. */ + if (vcpu->arch.time_offset & + (sizeof(struct pvclock_vcpu_time_info) - 1)) + break; + vcpu->arch.time_page = gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
.\cloneFuncs\totalClone\Type-1\CVE-2013-1796_before_imd_1363625672_kvm_set_msr_common.c
75
76
77
78
79
80
81
82
83
84
case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data; kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break;
+ show +
85
86
87
88
89
/* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); vcpu->arch.time_page = gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
+ show +
90
91
92
93
94
95
96
97
98
99
if (is_error_page(vcpu->arch.time_page)) vcpu->arch.time_page = NULL; break; } case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break;
.\cloneFuncs\totalClone\Type-3\CVE-2013-1796_before_1mo_1359557102_kvm_set_msr_common.c
74
75
76
77
78
79
80
81
82
83
case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data; kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break;
+ show +
84
85
86
87
88
/* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); vcpu->arch.time_page = gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
+ show +
89
90
91
92
93
94
95
96
97
98
if (is_error_page(vcpu->arch.time_page)) vcpu->arch.time_page = NULL; break; } case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break;
.\cloneFuncs\totalClone\Type-3\CVE-2013-1796_before_6mo_1346998460_kvm_set_msr_common.c
63
64
65
66
67
68
69
70
71
72
case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data; kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break;
+ show +
73
74
75
76
77
/* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); vcpu->arch.time_page = gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
+ show +
78
79
80
81
82
83
84
85
86
87
if (is_error_page(vcpu->arch.time_page)) { kvm_release_page_clean(vcpu->arch.time_page); vcpu->arch.time_page = NULL; } break; } case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1;
.\cloneFuncs\totalClone\Type-3\CVE-2013-1797_before_6mo_1345518171_kvm_set_msr_common.c
63
64
65
66
67
68
69
70
71
72
case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data; kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break;
+ show +
73
74
75
76
77
/* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); vcpu->arch.time_page = gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
+ show +
78
79
80
81
82
83
84
85
86
87
if (is_error_page(vcpu->arch.time_page)) vcpu->arch.time_page = NULL; break; } case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break;

[linux_CVE-2013-1797_1361400490_kvm_set_msr_common.diff] kvm_set_msr_common_OLD.c #1
break; case MSR_KVM_SYSTEM_TIME_NEW: case MSR_KVM_SYSTEM_TIME: { + u64 gpa_offset; kvmclock_reset(vcpu); vcpu->arch.time = data;
.\cloneFuncs\totalClone\Type-1\CVE-2013-1796_before_imd_1363625672_kvm_set_msr_common.c
63
64
65
66
67
68
69
70
71
72
vcpu->arch.ia32_tsc_adjust_msr = data; } break; case MSR_IA32_MISC_ENABLE: vcpu->arch.ia32_misc_enable_msr = data; break; case MSR_KVM_WALL_CLOCK_NEW: case MSR_KVM_WALL_CLOCK: vcpu->kvm->arch.wall_clock = data; kvm_write_wall_clock(vcpu->kvm, data);
+ show +
73
74
75
76
77
78
break; case MSR_KVM_SYSTEM_TIME_NEW: case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data;
+ show +
79
80
81
82
83
84
85
86
87
88
kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break; /* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); vcpu->arch.time_page =
.\cloneFuncs\totalClone\Type-1\CVE-2013-1797_before_imd_1363019692_kvm_set_msr_common.c
63
64
65
66
67
68
69
70
71
72
vcpu->arch.ia32_tsc_adjust_msr = data; } break; case MSR_IA32_MISC_ENABLE: vcpu->arch.ia32_misc_enable_msr = data; break; case MSR_KVM_WALL_CLOCK_NEW: case MSR_KVM_WALL_CLOCK: vcpu->kvm->arch.wall_clock = data; kvm_write_wall_clock(vcpu->kvm, data);
+ show +
73
74
75
76
77
78
break; case MSR_KVM_SYSTEM_TIME_NEW: case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data;
+ show +
79
80
81
82
83
84
85
86
87
88
kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break; /* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); /* Check that the address is 32-byte aligned. */
.\cloneFuncs\totalClone\Type-3\CVE-2013-1796_before_1mo_1359557102_kvm_set_msr_common.c
62
63
64
65
66
67
68
69
70
71
vcpu->arch.ia32_tsc_adjust_msr = data; } break; case MSR_IA32_MISC_ENABLE: vcpu->arch.ia32_misc_enable_msr = data; break; case MSR_KVM_WALL_CLOCK_NEW: case MSR_KVM_WALL_CLOCK: vcpu->kvm->arch.wall_clock = data; kvm_write_wall_clock(vcpu->kvm, data);
+ show +
72
73
74
75
76
77
break; case MSR_KVM_SYSTEM_TIME_NEW: case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data;
+ show +
78
79
80
81
82
83
84
85
86
87
kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break; /* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); vcpu->arch.time_page =
.\cloneFuncs\totalClone\Type-3\CVE-2013-1796_before_6mo_1346998460_kvm_set_msr_common.c
51
52
53
54
55
56
57
58
59
60
case MSR_IA32_TSCDEADLINE: kvm_set_lapic_tscdeadline_msr(vcpu, data); break; case MSR_IA32_MISC_ENABLE: vcpu->arch.ia32_misc_enable_msr = data; break; case MSR_KVM_WALL_CLOCK_NEW: case MSR_KVM_WALL_CLOCK: vcpu->kvm->arch.wall_clock = data; kvm_write_wall_clock(vcpu->kvm, data);
+ show +
61
62
63
64
65
66
break; case MSR_KVM_SYSTEM_TIME_NEW: case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data;
+ show +
67
68
69
70
71
72
73
74
75
76
kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break; /* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); vcpu->arch.time_page =
.\cloneFuncs\totalClone\Type-3\CVE-2013-1797_before_6mo_1345518171_kvm_set_msr_common.c
51
52
53
54
55
56
57
58
59
60
case MSR_IA32_TSCDEADLINE: kvm_set_lapic_tscdeadline_msr(vcpu, data); break; case MSR_IA32_MISC_ENABLE: vcpu->arch.ia32_misc_enable_msr = data; break; case MSR_KVM_WALL_CLOCK_NEW: case MSR_KVM_WALL_CLOCK: vcpu->kvm->arch.wall_clock = data; kvm_write_wall_clock(vcpu->kvm, data);
+ show +
61
62
63
64
65
66
break; case MSR_KVM_SYSTEM_TIME_NEW: case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data;
+ show +
67
68
69
70
71
72
73
74
75
76
kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */ if (!(data & 1)) break; /* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); vcpu->arch.time_page =

[linux_CVE-2013-1797_1361400490_kvm_arch_vcpu_init.diff] kvm_arch_vcpu_init_OLD.c #1
goto fail_free_wbinvd_dirty_mask; vcpu->arch.ia32_tsc_adjust_msr = 0x0; + vcpu->arch.pv_time_enabled = false; kvm_async_pf_hash_reset(vcpu); kvm_pmu_init(vcpu);
.\cloneFuncs\totalClone\Type-1\CVE-2013-1797_before_1mo_1357642008_kvm_arch_vcpu_init.c
39
40
41
42
43
44
45
46
47
48
r = -ENOMEM; goto fail_free_lapic; } vcpu->arch.mcg_cap = KVM_MAX_MCE_BANKS; if (!zalloc_cpumask_var(&vcpu->arch.wbinvd_dirty_mask, GFP_KERNEL)) goto fail_free_mce_banks; r = fx_init(vcpu); if (r)
+ show +
49
50
51
52
53
goto fail_free_wbinvd_dirty_mask; vcpu->arch.ia32_tsc_adjust_msr = 0x0; kvm_async_pf_hash_reset(vcpu); kvm_pmu_init(vcpu);
+ show +
54
55
56
57
58
59
60
61
62
63
return 0; fail_free_wbinvd_dirty_mask: free_cpumask_var(vcpu->arch.wbinvd_dirty_mask); fail_free_mce_banks: kfree(vcpu->arch.mce_banks); fail_free_lapic: kvm_free_lapic(vcpu); fail_mmu_destroy: kvm_mmu_destroy(vcpu);

[linux_CVE-2013-1797_1361400490_kvm_guest_time_update.diff] kvm_guest_time_update_OLD.c #1
unsigned long flags, this_tsc_khz; struct kvm_vcpu_arch *vcpu = &v->arch; struct kvm_arch *ka = &v->kvm->arch; - void *shared_kaddr; s64 kernel_ns, max_kernel_ns; u64 tsc_timestamp, host_tsc; - struct pvclock_vcpu_time_info *guest_hv_clock; + struct pvclock_vcpu_time_info guest_hv_clock; u8 pvclock_flags; bool use_master_clock;
.\cloneFuncs\totalClone\Type-1\CVE-2013-1797_before_imd_1363019692_kvm_guest_time_update.c
1
2
static int kvm_guest_time_update(struct kvm_vcpu *v) {
+ show +
3
4
5
6
7
8
9
10
11
unsigned long flags, this_tsc_khz; struct kvm_vcpu_arch *vcpu = &v->arch; struct kvm_arch *ka = &v->kvm->arch; void *shared_kaddr; s64 kernel_ns, max_kernel_ns; u64 tsc_timestamp, host_tsc; struct pvclock_vcpu_time_info *guest_hv_clock; u8 pvclock_flags; bool use_master_clock;
+ show +
12
13
14
15
16
17
18
19
20
21
kernel_ns = 0; host_tsc = 0; /* * If the host uses TSC clock, then passthrough TSC as stable * to the guest. */ spin_lock(&ka->pvclock_gtod_sync_lock); use_master_clock = ka->use_master_clock;
.\cloneFuncs\totalClone\Type-2\CVE-2013-1797_before_1mo_1357642008_kvm_guest_time_update.c
1
2
static int kvm_guest_time_update(struct kvm_vcpu *v) {
+ show +
3
4
5
6
7
8
9
10
11
unsigned long flags, this_tsc_khz; struct kvm_vcpu_arch *vcpu = &v->arch; struct kvm_arch *ka = &v->kvm->arch; void *shared_kaddr; s64 kernel_ns, max_kernel_ns; u64 tsc_timestamp, host_tsc; struct pvclock_vcpu_time_info *guest_hv_clock; u8 pvclock_flags; bool use_master_clock;
+ show +
12
13
14
15
16
17
18
19
20
21
kernel_ns = 0; host_tsc = 0; /* Keep irq disabled to prevent changes to the clock */ local_irq_save(flags); this_tsc_khz = __get_cpu_var(cpu_tsc_khz); if (unlikely(this_tsc_khz == 0)) { local_irq_restore(flags); kvm_make_request(KVM_REQ_CLOCK_UPDATE, v);

[linux_CVE-2013-1797_1361400490_kvm_guest_time_update.diff] kvm_guest_time_update_OLD.c #2
local_irq_restore(flags); - if (!vcpu->time_page) + if (!vcpu->pv_time_enabled) return 0; /*
.\cloneFuncs\totalClone\Type-1\CVE-2013-1797_before_imd_1363019692_kvm_guest_time_update.c
51
52
53
54
55
56
57
58
59
60
* very slowly. */ if (vcpu->tsc_catchup) { u64 tsc = compute_guest_tsc(v, kernel_ns); if (tsc > tsc_timestamp) { adjust_tsc_offset_guest(v, tsc - tsc_timestamp); tsc_timestamp = tsc; } }
+ show +
61
62
63
64
65
66
local_irq_restore(flags); if (!vcpu->time_page) return 0; /*
+ show +
67
68
69
70
71
72
73
74
75
76
* Time as measured by the TSC may go backwards when resetting the base * tsc_timestamp. The reason for this is that the TSC resolution is * higher than the resolution of the other clock scales. Thus, many * possible measurments of the TSC correspond to one measurement of any * other clock, and so a spread of values is possible. This is not a * problem for the computation of the nanosecond clock; with TSC rates * around 1GHZ, there can only be a few cycles which correspond to one * nanosecond value, and any path through this code will inevitably * take longer than that. However, with the kernel_ns value itself, * the precision may be much lower, down to HZ granularity. If the
.\cloneFuncs\totalClone\Type-2\CVE-2013-1797_before_1mo_1357642008_kvm_guest_time_update.c
51
52
53
54
55
56
57
58
59
60
* very slowly. */ if (vcpu->tsc_catchup) { u64 tsc = compute_guest_tsc(v, kernel_ns); if (tsc > tsc_timestamp) { adjust_tsc_offset_guest(v, tsc - tsc_timestamp); tsc_timestamp = tsc; } }
+ show +
61
62
63
64
65
66
local_irq_restore(flags); if (!vcpu->time_page) return 0; /*
+ show +
67
68
69
70
71
72
73
74
75
76
* Time as measured by the TSC may go backwards when resetting the base * tsc_timestamp. The reason for this is that the TSC resolution is * higher than the resolution of the other clock scales. Thus, many * possible measurments of the TSC correspond to one measurement of any * other clock, and so a spread of values is possible. This is not a * problem for the computation of the nanosecond clock; with TSC rates * around 1GHZ, there can only be a few cycles which correspond to one * nanosecond value, and any path through this code will inevitably * take longer than that. However, with the kernel_ns value itself, * the precision may be much lower, down to HZ granularity. If the
.\cloneFuncs\totalClone\Type-3\CVE-2013-1797_before_6mo_1345518171_kvm_guest_time_update.c
30
31
32
33
34
35
36
37
38
39
* very slowly. */ if (vcpu->tsc_catchup) { u64 tsc = compute_guest_tsc(v, kernel_ns); if (tsc > tsc_timestamp) { adjust_tsc_offset_guest(v, tsc - tsc_timestamp); tsc_timestamp = tsc; } }
+ show +
40
41
42
43
44
45
local_irq_restore(flags); if (!vcpu->time_page) return 0; /*
+ show +
46
47
48
49
50
51
52
53
54
55
* Time as measured by the TSC may go backwards when resetting the base * tsc_timestamp. The reason for this is that the TSC resolution is * higher than the resolution of the other clock scales. Thus, many * possible measurments of the TSC correspond to one measurement of any * other clock, and so a spread of values is possible. This is not a * problem for the computation of the nanosecond clock; with TSC rates * around 1GHZ, there can only be a few cycles which correspond to one * nanosecond value, and any path through this code will inevitably * take longer than that. However, with the kernel_ns value itself, * the precision may be much lower, down to HZ granularity. If the

[linux_CVE-2013-1797_1361400490_kvm_guest_time_update.diff] kvm_guest_time_update_OLD.c #3
*/ vcpu->hv_clock.version += 2; - shared_kaddr = kmap_atomic(vcpu->time_page); - - guest_hv_clock = shared_kaddr + vcpu->time_offset; + if (unlikely(kvm_read_guest_cached(v->kvm, &vcpu->pv_time, + &guest_hv_clock, sizeof(guest_hv_clock)))) + return 0; /* retain PVCLOCK_GUEST_STOPPED if set in guest copy */ - pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED); + pvclock_flags = (guest_hv_clock.flags & PVCLOCK_GUEST_STOPPED); if (vcpu->pvclock_set_guest_stopped_request) { pvclock_flags |= PVCLOCK_GUEST_STOPPED;
.\cloneFuncs\totalClone\Type-1\CVE-2013-1797_before_imd_1363019692_kvm_guest_time_update.c
112
113
114
115
116
117
118
119
120
121
/* With all the info we got, fill in the values */ vcpu->hv_clock.tsc_timestamp = tsc_timestamp; vcpu->hv_clock.system_time = kernel_ns + v->kvm->arch.kvmclock_offset; vcpu->last_kernel_ns = kernel_ns; vcpu->last_guest_tsc = tsc_timestamp; /* * The interface expects us to write an even number signaling that the * update is finished. Since the guest won't see the intermediate * state, we just increase by 2 at the end.
+ show +
122
123
124
125
126
127
128
129
130
131
132
133
*/ vcpu->hv_clock.version += 2; shared_kaddr = kmap_atomic(vcpu->time_page); guest_hv_clock = shared_kaddr + vcpu->time_offset; /* retain PVCLOCK_GUEST_STOPPED if set in guest copy */ pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED); if (vcpu->pvclock_set_guest_stopped_request) { pvclock_flags |= PVCLOCK_GUEST_STOPPED;
+ show +
134
135
136
137
138
139
140
141
142
143
vcpu->pvclock_set_guest_stopped_request = false; } /* If the host uses TSC clocksource, then it is stable */ if (use_master_clock) pvclock_flags |= PVCLOCK_TSC_STABLE_BIT; vcpu->hv_clock.flags = pvclock_flags; memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock,
.\cloneFuncs\totalClone\Type-2\CVE-2013-1797_before_1mo_1357642008_kvm_guest_time_update.c
112
113
114
115
116
117
118
119
120
121
/* With all the info we got, fill in the values */ vcpu->hv_clock.tsc_timestamp = tsc_timestamp; vcpu->hv_clock.system_time = kernel_ns + v->kvm->arch.kvmclock_offset; vcpu->last_kernel_ns = kernel_ns; vcpu->last_guest_tsc = tsc_timestamp; /* * The interface expects us to write an even number signaling that the * update is finished. Since the guest won't see the intermediate * state, we just increase by 2 at the end.
+ show +
122
123
124
125
126
127
128
129
130
131
132
133
*/ vcpu->hv_clock.version += 2; shared_kaddr = kmap_atomic(vcpu->time_page); guest_hv_clock = shared_kaddr + vcpu->time_offset; /* retain PVCLOCK_GUEST_STOPPED if set in guest copy */ pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED); if (vcpu->pvclock_set_guest_stopped_request) { pvclock_flags |= PVCLOCK_GUEST_STOPPED;
+ show +
134
135
136
137
138
139
140
141
142
143
vcpu->pvclock_set_guest_stopped_request = false; } /* If the host uses TSC clocksource, then it is stable */ if (use_master_clock) pvclock_flags |= PVCLOCK_TSC_STABLE_BIT; vcpu->hv_clock.flags = pvclock_flags; memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock,

[linux_CVE-2013-1797_1361400490_kvm_set_msr_common.diff] kvm_set_msr_common_OLD.c #2
if (!(data & 1)) break; - /* ...but clean it before doing the actual write */ - vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); + gpa_offset = data & ~(PAGE_MASK | 1); /* Check that the address is 32-byte aligned. */ - if (vcpu->arch.time_offset & - (sizeof(struct pvclock_vcpu_time_info) - 1)) + if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1)) break; - vcpu->arch.time_page = - gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); - - if (is_error_page(vcpu->arch.time_page)) - vcpu->arch.time_page = NULL; + if (kvm_gfn_to_hva_cache_init(vcpu->kvm, + &vcpu->arch.pv_time, data & ~1ULL)) + vcpu->arch.pv_time_enabled = false; + else + vcpu->arch.pv_time_enabled = true; break; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-1797_before_imd_1363019692_kvm_set_msr_common.c
72
73
74
75
76
77
78
79
80
81
kvm_write_wall_clock(vcpu->kvm, data); break; case MSR_KVM_SYSTEM_TIME_NEW: case MSR_KVM_SYSTEM_TIME: { kvmclock_reset(vcpu); vcpu->arch.time = data; kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); /* we verify if the enable bit is set... */
+ show +
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
if (!(data & 1)) break; /* ...but clean it before doing the actual write */ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); /* Check that the address is 32-byte aligned. */ if (vcpu->arch.time_offset & (sizeof(struct pvclock_vcpu_time_info) - 1)) break; vcpu->arch.time_page = gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); if (is_error_page(vcpu->arch.time_page)) vcpu->arch.time_page = NULL; break; }
+ show +
101
102
103
104
105
106
107
108
109
110
case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break; case MSR_KVM_STEAL_TIME: if (unlikely(!sched_info_on())) return 1; if (data & KVM_STEAL_RESERVED_MASK)

[xen_CVE-2013-1920_1365148743_get_free_port.diff] get_free_port_OLD.c #1
chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET); if ( unlikely(chn == NULL) ) return -ENOMEM; - bucket_from_port(d, port) = chn; for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ ) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-1920_before_1mo_1357901041_get_free_port.c
7
8
9
10
11
12
13
14
15
16
if ( d->is_dying ) return -EINVAL; for ( port = 0; port_is_valid(d, port); port++ ) if ( evtchn_from_port(d, port)->state == ECS_FREE ) return port; if ( port == MAX_EVTCHNS(d) ) return -ENOSPC;
+ show +
17
18
19
20
21
22
23
chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET); if ( unlikely(chn == NULL) ) return -ENOMEM; bucket_from_port(d, port) = chn; for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ ) {
+ show +
24
25
26
27
28
29
30
31
32
33
if ( xsm_alloc_security_evtchn(&chn[i]) ) { for ( j = 0; j < i; j++ ) xsm_free_security_evtchn(&chn[j]); xfree(chn); return -ENOMEM; } } return port;

[libtiff_CVE-2013-1960_1367506448_t2p_process_jpeg_strip.diff] t2p_process_jpeg_strip_OLD.c #1
uint32 height){ tsize_t i=0; - uint16 ri =0; - uint16 v_samp=1; - uint16 h_samp=1; - int j=0; - - i++; - - while(i<(*striplength)){ + + while (i < *striplength) { + tsize_t datalen; + uint16 ri; + uint16 v_samp; + uint16 h_samp; + int j; + int ncomp; + + /* marker header: one or more FFs */ + if (strip[i] != 0xff) + return(0); + i++; + while (i < *striplength && strip[i] == 0xff) + i++; + if (i >= *striplength) + return(0); + /* SOI is the only pre-SOS marker without a length word */ + if (strip[i] == 0xd8) + datalen = 0; + else { + if ((*striplength - i) <= 2) + return(0); + datalen = (strip[i+1] << 8) | strip[i+2]; + if (datalen < 2 || datalen >= (*striplength - i)) + return(0); + } switch( strip[i] ){ - case 0xd8: - /* SOI - start of image */ + case 0xd8: /* SOI - start of image */ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; - i+=2; break; - case 0xc0: - case 0xc1: - case 0xc3: - case 0xc9: - case 0xca: + case 0xc0: /* SOF0 */ + case 0xc1: /* SOF1 */ + case 0xc3: /* SOF3 */ + case 0xc9: /* SOF9 */ + case 0xca: /* SOF10 */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - for(j=0;j<buffer[*bufferoffset+9];j++){ - if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + ncomp = buffer[*bufferoffset+9]; + if (ncomp < 1 || ncomp > 4) + return(0); + v_samp=1; + h_samp=1; + for(j=0;j<ncomp;j++){ + uint16 samp = buffer[*bufferoffset+11+(3*j)]; + if( (samp>>4) > h_samp) + h_samp = (samp>>4); + if( (samp & 0x0f) > v_samp) + v_samp = (samp & 0x0f); } v_samp*=8; h_samp*=8;
.\cloneFuncs\totalClone\Type-1\CVE-2013-1960_before_1mo_1342712621_t2p_process_jpeg_strip.c
1
2
3
4
5
6
int t2p_process_jpeg_strip( unsigned char* strip, tsize_t* striplength, unsigned char* buffer, tsize_t* bufferoffset, tstrip_t no,
+ show +
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
uint32 height){ tsize_t i=0; uint16 ri =0; uint16 v_samp=1; uint16 h_samp=1; int j=0; i++; while(i<(*striplength)){ switch( strip[i] ){ case 0xd8: /* SOI - start of image */ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; i+=2; break; case 0xc0: case 0xc1: case 0xc3: case 0xc9: case 0xca: if(no==0){ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); for(j=0;j<buffer[*bufferoffset+9];j++){ if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); } v_samp*=8; h_samp*=8;
+ show +
40
41
42
43
44
45
46
47
48
49
ri=((( ((uint16)(buffer[*bufferoffset+5])<<8) | (uint16)(buffer[*bufferoffset+6]) )+v_samp-1)/ v_samp); ri*=((( ((uint16)(buffer[*bufferoffset+7])<<8) | (uint16)(buffer[*bufferoffset+8]) )+h_samp-1)/ h_samp); buffer[*bufferoffset+5]= (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff);

[xen_CVE-2013-2072_1369838891_pyxc_vcpu_setaffinity.diff] pyxc_vcpu_setaffinity_OLD.c #1
int vcpu = 0, i; xc_cpumap_t cpumap; PyObject *cpulist = NULL; + int nr_cpus; static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
.\cloneFuncs\totalClone\Type-1\CVE-2013-2072_before_1mo_1328894690_pyxc_vcpu_setaffinity.c
1
2
3
4
5
static PyObject *pyxc_vcpu_setaffinity(XcObject *self, PyObject *args, PyObject *kwds) { uint32_t dom;
+ show +
6
7
8
9
10
int vcpu = 0, i; xc_cpumap_t cpumap; PyObject *cpulist = NULL; static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
+ show +
11
12
13
14
15
16
17
18
19
20
if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i|iO", kwd_list, &dom, &vcpu, &cpulist) ) return NULL; cpumap = xc_cpumap_alloc(self->xc_handle); if(cpumap == NULL) return pyxc_error_to_exception(self->xc_handle); if ( (cpulist != NULL) && PyList_Check(cpulist) )

[xen_CVE-2013-2072_1369838891_pyxc_vcpu_setaffinity.diff] pyxc_vcpu_setaffinity_OLD.c #2
&dom, &vcpu, &cpulist) ) return NULL; + nr_cpus = xc_get_max_cpus(self->xc_handle); + if ( nr_cpus == 0 ) + return pyxc_error_to_exception(self->xc_handle); + cpumap = xc_cpumap_alloc(self->xc_handle); if(cpumap == NULL) return pyxc_error_to_exception(self->xc_handle);
.\cloneFuncs\totalClone\Type-1\CVE-2013-2072_before_1mo_1328894690_pyxc_vcpu_setaffinity.c
3
4
5
6
7
8
9
10
11
12
PyObject *kwds) { uint32_t dom; int vcpu = 0, i; xc_cpumap_t cpumap; PyObject *cpulist = NULL; static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL }; if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i|iO", kwd_list,
+ show +
13
14
15
16
17
18
&dom, &vcpu, &cpulist) ) return NULL; cpumap = xc_cpumap_alloc(self->xc_handle); if(cpumap == NULL) return pyxc_error_to_exception(self->xc_handle);
+ show +
19
20
21
22
23
24
25
26
27
28
if ( (cpulist != NULL) && PyList_Check(cpulist) ) { for ( i = 0; i < PyList_Size(cpulist); i++ ) { long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i)); cpumap[cpu / 8] |= 1 << (cpu % 8); } }

[xen_CVE-2013-2072_1369838891_pyxc_vcpu_setaffinity.diff] pyxc_vcpu_setaffinity_OLD.c #3
for ( i = 0; i < PyList_Size(cpulist); i++ ) { long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i)); + if ( cpu < 0 || cpu >= nr_cpus ) + { + free(cpumap); + errno = EINVAL; + PyErr_SetFromErrno(xc_error_obj); + return NULL; + } cpumap[cpu / 8] |= 1 << (cpu % 8); } }
.\cloneFuncs\totalClone\Type-1\CVE-2013-2072_before_1mo_1328894690_pyxc_vcpu_setaffinity.c
12
13
14
15
16
17
18
19
20
21
if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i|iO", kwd_list, &dom, &vcpu, &cpulist) ) return NULL; cpumap = xc_cpumap_alloc(self->xc_handle); if(cpumap == NULL) return pyxc_error_to_exception(self->xc_handle); if ( (cpulist != NULL) && PyList_Check(cpulist) ) {
+ show +
22
23
24
25
26
27
for ( i = 0; i < PyList_Size(cpulist); i++ ) { long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i)); cpumap[cpu / 8] |= 1 << (cpu % 8); } }
+ show +
28
29
30
31
32
33
34
35
36
37
if ( xc_vcpu_setaffinity(self->xc_handle, dom, vcpu, cpumap) != 0 ) { free(cpumap); return pyxc_error_to_exception(self->xc_handle); } Py_INCREF(zero); free(cpumap); return zero; }

[xen_CVE-2016-3158_1459254266_xrstor.diff] xrstor_OLD.c #1
* data block as a safe address because it should be in L1. */ if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && - !(ptr->fpu_sse.fsw & 0x0080) && + !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) && boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) asm volatile ( "fnclex\n\t" /* clear exceptions */ "ffree %%st(7)\n\t" /* clear stack tag */
.\cloneFuncs\totalClone\Type-1\CVE-2013-2077_before_imd_1370330814_xrstor.c
3
4
5
6
7
8
9
10
11
12
uint32_t hmask = mask >> 32; uint32_t lmask = mask; struct xsave_struct *ptr = v->arch.xsave_area; /* * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception * is pending. Clear the x87 state here by setting it to fixed * values. The hypervisor data segment can be sometimes 0 and * sometimes new user value. Both should be ok. Use the FPU saved
+ show +
13
14
15
16
17
18
19
* data block as a safe address because it should be in L1. */ if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && !(ptr->fpu_sse.fsw & 0x0080) && boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) asm volatile ( "fnclex\n\t" /* clear exceptions */ "ffree %%st(7)\n\t" /* clear stack tag */
+ show +
20
21
22
23
24
25
26
27
"fildl %0" /* load to clear state */ : : "m" (ptr->fpu_sse) ); asm volatile ( ".byte " REX_PREFIX "0x0f,0xae,0x2f" : : "m" (*ptr), "a" (lmask), "d" (hmask), "D"(ptr) ); }
.\cloneFuncs\totalClone\Type-1\CVE-2016-3158_before_1mo_1456485373_xrstor.c
3
4
5
6
7
8
9
10
11
12
uint32_t hmask = mask >> 32; uint32_t lmask = mask; struct xsave_struct *ptr = v->arch.xsave_area; unsigned int faults, prev_faults; /* * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception * is pending. Clear the x87 state here by setting it to fixed * values. The hypervisor data segment can be sometimes 0 and * sometimes new user value. Both should be ok. Use the FPU saved
+ show +
13
14
15
16
17
18
19
* data block as a safe address because it should be in L1. */ if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && !(ptr->fpu_sse.fsw & 0x0080) && boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) asm volatile ( "fnclex\n\t" /* clear exceptions */ "ffree %%st(7)\n\t" /* clear stack tag */
+ show +
20
21
22
23
24
25
26
27
28
29
"fildl %0" /* load to clear state */ : : "m" (ptr->fpu_sse) ); /* * XRSTOR can fault if passed a corrupted data block. We handle this * possibility, which may occur if the block was passed to us by control * tools or through VCPUOP_initialise, by silently adjusting state. */ for ( prev_faults = faults = 0; ; prev_faults = faults ) {
.\cloneFuncs\totalClone\Type-4\CVE-2006-1056_after_1mo_1375720957_xrstor.c
2
3
4
5
6
7
8
9
10
11
{ uint32_t hmask = mask >> 32; uint32_t lmask = mask; struct xsave_struct *ptr = v->arch.xsave_area; /* * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception * is pending. Clear the x87 state here by setting it to fixed * values. The hypervisor data segment can be sometimes 0 and * sometimes new user value. Both should be ok. Use the FPU saved
+ show +
12
13
14
15
16
17
18
* data block as a safe address because it should be in L1. */ if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && !(ptr->fpu_sse.fsw & 0x0080) && boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) asm volatile ( "fnclex\n\t" /* clear exceptions */ "ffree %%st(7)\n\t" /* clear stack tag */
+ show +
19
20
21
22
23
24
25
26
27
28
"fildl %0" /* load to clear state */ : : "m" (ptr->fpu_sse) ); /* * XRSTOR can fault if passed a corrupted data block. We handle this * possibility, which may occur if the block was passed to us by control * tools or through VCPUOP_initialise, by silently clearing the block. */ switch ( __builtin_expect(ptr->fpu_sse.x[FPU_WORD_SIZE_OFFSET], 8) ) {
.\cloneFuncs\totalClone\Type-4\CVE-2006-1056_after_imd_1370330878_xrstor.c
3
4
5
6
7
8
9
10
11
12
uint32_t hmask = mask >> 32; uint32_t lmask = mask; struct xsave_struct *ptr = v->arch.xsave_area; /* * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception * is pending. Clear the x87 state here by setting it to fixed * values. The hypervisor data segment can be sometimes 0 and * sometimes new user value. Both should be ok. Use the FPU saved
+ show +
13
14
15
16
17
18
19
* data block as a safe address because it should be in L1. */ if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && !(ptr->fpu_sse.fsw & 0x0080) && boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) asm volatile ( "fnclex\n\t" /* clear exceptions */ "ffree %%st(7)\n\t" /* clear stack tag */
+ show +
20
21
22
23
24
25
26
27
28
29
"fildl %0" /* load to clear state */ : : "m" (ptr->fpu_sse) ); /* * XRSTOR can fault if passed a corrupted data block. We handle this * possibility, which may occur if the block was passed to us by control * tools or through VCPUOP_initialise, by silently clearing the block. */ asm volatile ( "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" ".section .fixup,\"ax\"\n"

[xen_CVE-2013-2078_1370330947_emulate_privileged_op.diff] emulate_privileged_op_OLD.c #1
if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) ) goto fail; + /* YMM state takes SSE state as prerequisite. */ + if ( (xfeature_mask & new_xfeature & XSTATE_YMM) && + !(new_xfeature & XSTATE_SSE) ) + goto fail; + v->arch.xcr0 = new_xfeature; v->arch.xcr0_accum |= new_xfeature; set_xcr0(new_xfeature);
.\cloneFuncs\totalClone\Type-1\CVE-2013-2078_before_imd_1367935960_emulate_privileged_op.c
352
353
354
355
356
357
358
359
360
361
goto skip; } if ( !guest_kernel_mode(v, regs) ) goto fail; switch ( (u32)regs->ecx ) { case XCR_XFEATURE_ENABLED_MASK: /* bit 0 of XCR0 must be set and reserved bit must not be set */
+ show +
362
363
364
365
366
367
if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) ) goto fail; v->arch.xcr0 = new_xfeature; v->arch.xcr0_accum |= new_xfeature; set_xcr0(new_xfeature);
+ show +
368
369
370
371
372
373
374
375
376
377
break; default: goto fail; } break; } default: goto fail; } break;
.\cloneFuncs\totalClone\Type-2\CVE-2013-2078_before_1mo_1367507105_emulate_privileged_op.c
352
353
354
355
356
357
358
359
360
361
goto skip; } if ( !guest_kernel_mode(v, regs) ) goto fail; switch ( (u32)regs->ecx ) { case XCR_XFEATURE_ENABLED_MASK: /* bit 0 of XCR0 must be set and reserved bit must not be set */
+ show +
362
363
364
365
366
367
if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) ) goto fail; v->arch.xcr0 = new_xfeature; v->arch.xcr0_accum |= new_xfeature; set_xcr0(new_xfeature);
+ show +
368
369
370
371
372
373
374
375
376
377
break; default: goto fail; } break; } default: goto fail; } break;
.\cloneFuncs\totalClone\Type-2\CVE-2013-4368_before_6mo_1361463166_emulate_privileged_op.c
352
353
354
355
356
357
358
359
360
361
goto skip; } if ( !guest_kernel_mode(v, regs) ) goto fail; switch ( (u32)regs->ecx ) { case XCR_XFEATURE_ENABLED_MASK: /* bit 0 of XCR0 must be set and reserved bit must not be set */
+ show +
362
363
364
365
366
367
if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) ) goto fail; v->arch.xcr0 = new_xfeature; v->arch.xcr0_accum |= new_xfeature; set_xcr0(new_xfeature);
+ show +
368
369
370
371
372
373
374
375
376
377
break; default: goto fail; } break; } default: goto fail; } break;
.\cloneFuncs\totalClone\Type-3\CVE-2013-2078_before_6mo_1351611967_emulate_privileged_op.c
352
353
354
355
356
357
358
359
360
361
goto skip; } if ( !guest_kernel_mode(v, regs) ) goto fail; switch ( (u32)regs->ecx ) { case XCR_XFEATURE_ENABLED_MASK: /* bit 0 of XCR0 must be set and reserved bit must not be set */
+ show +
362
363
364
365
366
367
if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) ) goto fail; v->arch.xcr0 = new_xfeature; v->arch.xcr0_accum |= new_xfeature; set_xcr0(new_xfeature);
+ show +
368
369
370
371
372
373
374
375
376
377
break; default: goto fail; } break; } default: goto fail; } break;

[xen_CVE-2013-4368_1381411193_emulate_privileged_op.diff] emulate_privileged_op_OLD.c #1
break; } } - else - read_descriptor(data_sel, v, regs, - &data_base, &data_limit, &ar, - 0); + else if ( !read_descriptor(data_sel, v, regs, + &data_base, &data_limit, &ar, 0) || + !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) ) + goto fail; data_limit = ~0UL; ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-2078_before_imd_1367935960_emulate_privileged_op.c
137
138
139
140
141
142
143
144
145
146
data_base = 0UL; break; case lm_seg_fs: data_base = v->arch.pv_vcpu.fs_base; break; case lm_seg_gs: if ( guest_kernel_mode(v, regs) ) data_base = v->arch.pv_vcpu.gs_base_kernel; else data_base = v->arch.pv_vcpu.gs_base_user;
+ show +
147
148
149
150
151
152
153
154
155
156
break; } } else read_descriptor(data_sel, v, regs, &data_base, &data_limit, &ar, 0); data_limit = ~0UL; ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; }
+ show +
157
158
159
160
161
162
163
164
165
166
port = (u16)regs->edx; continue_io_string: switch ( opcode ) { case 0x6c: /* INSB */ op_bytes = 1; case 0x6d: /* INSW/INSL */ if ( (data_limit < (op_bytes - 1)) ||
.\cloneFuncs\totalClone\Type-1\CVE-2013-4368_before_1mo_1378730214_emulate_privileged_op.c
137
138
139
140
141
142
143
144
145
146
data_base = 0UL; break; case lm_seg_fs: data_base = v->arch.pv_vcpu.fs_base; break; case lm_seg_gs: if ( guest_kernel_mode(v, regs) ) data_base = v->arch.pv_vcpu.gs_base_kernel; else data_base = v->arch.pv_vcpu.gs_base_user;
+ show +
147
148
149
150
151
152
153
154
155
156
break; } } else read_descriptor(data_sel, v, regs, &data_base, &data_limit, &ar, 0); data_limit = ~0UL; ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; }
+ show +
157
158
159
160
161
162
163
164
165
166
port = (u16)regs->edx; continue_io_string: switch ( opcode ) { case 0x6c: /* INSB */ op_bytes = 1; case 0x6d: /* INSW/INSL */ if ( (data_limit < (op_bytes - 1)) ||
.\cloneFuncs\totalClone\Type-2\CVE-2013-2078_before_1mo_1367507105_emulate_privileged_op.c
137
138
139
140
141
142
143
144
145
146
data_base = 0UL; break; case lm_seg_fs: data_base = v->arch.pv_vcpu.fs_base; break; case lm_seg_gs: if ( guest_kernel_mode(v, regs) ) data_base = v->arch.pv_vcpu.gs_base_kernel; else data_base = v->arch.pv_vcpu.gs_base_user;
+ show +
147
148
149
150
151
152
153
154
155
156
break; } } else read_descriptor(data_sel, v, regs, &data_base, &data_limit, &ar, 0); data_limit = ~0UL; ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; }
+ show +
157
158
159
160
161
162
163
164
165
166
port = (u16)regs->edx; continue_io_string: switch ( opcode ) { case 0x6c: /* INSB */ op_bytes = 1; case 0x6d: /* INSW/INSL */ if ( (data_limit < (op_bytes - 1)) ||
.\cloneFuncs\totalClone\Type-2\CVE-2013-4368_before_6mo_1361463166_emulate_privileged_op.c
137
138
139
140
141
142
143
144
145
146
data_base = 0UL; break; case lm_seg_fs: data_base = v->arch.pv_vcpu.fs_base; break; case lm_seg_gs: if ( guest_kernel_mode(v, regs) ) data_base = v->arch.pv_vcpu.gs_base_kernel; else data_base = v->arch.pv_vcpu.gs_base_user;
+ show +
147
148
149
150
151
152
153
154
155
156
break; } } else read_descriptor(data_sel, v, regs, &data_base, &data_limit, &ar, 0); data_limit = ~0UL; ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; }
+ show +
157
158
159
160
161
162
163
164
165
166
port = (u16)regs->edx; continue_io_string: switch ( opcode ) { case 0x6c: /* INSB */ op_bytes = 1; case 0x6d: /* INSW/INSL */ if ( (data_limit < (op_bytes - 1)) ||
.\cloneFuncs\totalClone\Type-3\CVE-2013-2078_before_6mo_1351611967_emulate_privileged_op.c
137
138
139
140
141
142
143
144
145
146
data_base = 0UL; break; case lm_seg_fs: data_base = v->arch.pv_vcpu.fs_base; break; case lm_seg_gs: if ( guest_kernel_mode(v, regs) ) data_base = v->arch.pv_vcpu.gs_base_kernel; else data_base = v->arch.pv_vcpu.gs_base_user;
+ show +
147
148
149
150
151
152
153
154
155
156
break; } } else read_descriptor(data_sel, v, regs, &data_base, &data_limit, &ar, 0); data_limit = ~0UL; ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; }
+ show +
157
158
159
160
161
162
163
164
165
166
port = (u16)regs->edx; continue_io_string: switch ( opcode ) { case 0x6c: /* INSB */ op_bytes = 1; case 0x6d: /* INSW/INSL */ if ( (data_limit < (op_bytes - 1)) ||

[linux_CVE-2013-2140_1358354032_dispatch_discard_io.diff] dispatch_discard_io_OLD.c #1
int status = BLKIF_RSP_OKAY; struct block_device *bdev = blkif->vbd.bdev; unsigned long secure; + struct phys_req preq; + preq.sector_number = req->u.discard.sector_number; + preq.nr_sects = req->u.discard.nr_sectors; + + err = xen_vbd_translate(&preq, blkif, WRITE); + if (err) { + pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", + preq.sector_number, + preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); + goto fail_response; + } blkif->st_ds_req++; xen_blkif_get(blkif);
.\cloneFuncs\totalClone\Type-1\CVE-2013-2140_before_1mo_1354630912_dispatch_discard_io.c
1
2
3
4
static int dispatch_discard_io(struct xen_blkif *blkif, struct blkif_request *req) { int err = 0;
+ show +
5
6
7
8
9
10
11
int status = BLKIF_RSP_OKAY; struct block_device *bdev = blkif->vbd.bdev; unsigned long secure; blkif->st_ds_req++; xen_blkif_get(blkif);
+ show +
12
13
14
15
16
17
18
19
20
21
secure = (blkif->vbd.discard_secure && (req->u.discard.flag & BLKIF_DISCARD_SECURE)) ? BLKDEV_DISCARD_SECURE : 0; err = blkdev_issue_discard(bdev, req->u.discard.sector_number, req->u.discard.nr_sectors, GFP_KERNEL, secure); if (err == -EOPNOTSUPP) { pr_debug(DRV_PFX "discard op failed, not supported\n");

[linux_CVE-2013-2140_1358354032_dispatch_discard_io.diff] dispatch_discard_io_OLD.c #2
err = blkdev_issue_discard(bdev, req->u.discard.sector_number, req->u.discard.nr_sectors, GFP_KERNEL, secure); - +fail_response: if (err == -EOPNOTSUPP) { pr_debug(DRV_PFX "discard op failed, not supported\n"); status = BLKIF_RSP_EOPNOTSUPP;
.\cloneFuncs\totalClone\Type-1\CVE-2013-2140_before_1mo_1354630912_dispatch_discard_io.c
6
7
8
9
10
11
12
13
14
15
struct block_device *bdev = blkif->vbd.bdev; unsigned long secure; blkif->st_ds_req++; xen_blkif_get(blkif); secure = (blkif->vbd.discard_secure && (req->u.discard.flag & BLKIF_DISCARD_SECURE)) ? BLKDEV_DISCARD_SECURE : 0;
+ show +
16
17
18
19
20
21
22
err = blkdev_issue_discard(bdev, req->u.discard.sector_number, req->u.discard.nr_sectors, GFP_KERNEL, secure); if (err == -EOPNOTSUPP) { pr_debug(DRV_PFX "discard op failed, not supported\n"); status = BLKIF_RSP_EOPNOTSUPP;
+ show +
23
24
25
26
27
28
29
} else if (err) status = BLKIF_RSP_ERROR; make_response(blkif, req->u.discard.id, req->operation, status); xen_blkif_put(blkif); return err; }

[linux_CVE-2013-2147_1380061665_cciss_ioctl32_passthru.diff] cciss_ioctl32_passthru_OLD.c #1
int err; u32 cp; + memset(&arg64, 0, sizeof(arg64)); err = 0; err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
.\cloneFuncs\totalClone\Type-1\CVE-2013-2147_before_1mo_1371071087_cciss_ioctl32_passthru.c
1
2
3
4
5
6
7
static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, unsigned cmd, unsigned long arg) { IOCTL32_Command_struct __user *arg32 = (IOCTL32_Command_struct __user *) arg; IOCTL_Command_struct arg64; IOCTL_Command_struct __user *p = compat_alloc_user_space(sizeof(arg64));
+ show +
8
9
10
11
12
13
int err; u32 cp; err = 0; err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
+ show +
14
15
16
17
18
19
20
21
22
23
sizeof(arg64.LUN_info)); err |= copy_from_user(&arg64.Request, &arg32->Request, sizeof(arg64.Request)); err |= copy_from_user(&arg64.error_info, &arg32->error_info, sizeof(arg64.error_info)); err |= get_user(arg64.buf_size, &arg32->buf_size); err |= get_user(cp, &arg32->buf); arg64.buf = compat_ptr(cp);
.\cloneFuncs\totalClone\Type-2\CVE-2013-2147_before_6mo_1363965060_cciss_ioctl32_passthru.c
1
2
3
4
5
6
7
static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, unsigned cmd, unsigned long arg) { IOCTL32_Command_struct __user *arg32 = (IOCTL32_Command_struct __user *) arg; IOCTL_Command_struct arg64; IOCTL_Command_struct __user *p = compat_alloc_user_space(sizeof(arg64));
+ show +
8
9
10
11
12
13
int err; u32 cp; err = 0; err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
+ show +
14
15
16
17
18
19
20
21
22
23
sizeof(arg64.LUN_info)); err |= copy_from_user(&arg64.Request, &arg32->Request, sizeof(arg64.Request)); err |= copy_from_user(&arg64.error_info, &arg32->error_info, sizeof(arg64.error_info)); err |= get_user(arg64.buf_size, &arg32->buf_size); err |= get_user(cp, &arg32->buf); arg64.buf = compat_ptr(cp);

[xen_CVE-2013-2212_1398329709_start_vmx.diff] start_vmx_OLD.c #1
* Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole * (refer to http://xenbits.xen.org/xsa/advisory-60.html). */ - if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) + if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_force_ept) ) { vmx_function_table.hap_supported = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2013-2212_before_1mo_1395139903_start_vmx.c
2
3
4
5
6
7
8
9
10
11
{ set_in_cr4(X86_CR4_VMXE); if ( vmx_cpu_up() ) { printk("VMX: failed to initialise.\n"); return NULL; } /*
+ show +
12
13
14
15
16
17
* Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole * (refer to http://xenbits.xen.org/xsa/advisory-60.html). */ if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) { vmx_function_table.hap_supported = 1;
+ show +
18
19
20
21
22
23
24
25
26
27
vmx_function_table.hap_capabilities = 0; if ( cpu_has_vmx_ept_2mb ) vmx_function_table.hap_capabilities |= HVM_HAP_SUPERPAGE_2MB; if ( cpu_has_vmx_ept_1gb ) vmx_function_table.hap_capabilities |= HVM_HAP_SUPERPAGE_1GB; setup_ept_dump(); }

[ffmpeg_CVE-2013-2277_1362392468_h264_set_parameter_from_sps.diff] h264_set_parameter_from_sps_OLD.c #1
if (h->avctx->has_b_frames < 2) h->avctx->has_b_frames = !h->low_delay; + if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) { + av_log_missing_feature(h->avctx, + "Different bit depth between chroma and luma", 1); + return AVERROR_PATCHWELCOME; + } + if (h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc) { if (h->avctx->codec &&
.\cloneFuncs\totalClone\Type-1\CVE-2013-2277_before_imd_1360838673_h264_set_parameter_from_sps.c
3
4
5
6
7
8
9
10
11
12
if (h->flags & CODEC_FLAG_LOW_DELAY || (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames)) { if (h->avctx->has_b_frames > 1 || h->delayed_pic[0]) av_log(h->avctx, AV_LOG_WARNING, "Delayed frames seen. " "Reenabling low delay requires a codec flush.\n"); else h->low_delay = 1; }
+ show +
13
14
15
16
17
18
if (h->avctx->has_b_frames < 2) h->avctx->has_b_frames = !h->low_delay; if (h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc) { if (h->avctx->codec &&
+ show +
19
20
21
22
23
24
25
26
27
28
h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU && (h->sps.bit_depth_luma != 8 || h->sps.chroma_format_idc > 1)) { av_log(h->avctx, AV_LOG_ERROR, "VDPAU decoding does not support video colorspace.\n"); return AVERROR_INVALIDDATA; } if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) { h->avctx->bits_per_raw_sample = h->sps.bit_depth_luma; h->cur_chroma_format_idc = h->sps.chroma_format_idc; h->pixel_shift = h->sps.bit_depth_luma > 8;

[ffmpeg_CVE-2013-2495_1363548139_iff_read_header.diff] iff_read_header_OLD.c #1
break; case ID_CMAP: + if (data_size < 3 || data_size > 768 || data_size % 3) { + av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n", + data_size); + return AVERROR_INVALIDDATA; + } st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata)
.\cloneFuncs\totalClone\Type-1\CVE-2013-2495_before_imd_1333821945_iff_read_header.c
46
47
48
49
50
51
52
53
54
55
case ID_CHAN: if (data_size < 4) return AVERROR_INVALIDDATA; if (avio_rb32(pb) < 6) { st->codec->channels = 1; st->codec->channel_layout = AV_CH_LAYOUT_MONO; } else { st->codec->channels = 2; st->codec->channel_layout = AV_CH_LAYOUT_STEREO; }
+ show +
56
57
58
59
60
61
break; case ID_CMAP: st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata)
+ show +
62
63
64
65
66
67
68
69
70
71
return AVERROR(ENOMEM); if (avio_read(pb, st->codec->extradata, data_size) < 0) return AVERROR(EIO); break; case ID_BMHD: st->codec->codec_type = AVMEDIA_TYPE_VIDEO; if (data_size <= 8) return AVERROR_INVALIDDATA; st->codec->width = avio_rb16(pb);
.\cloneFuncs\totalClone\Type-3\CVE-2013-2495_before_1mo_1344157864_iff_read_header.c
39
40
41
42
43
44
45
46
47
48
case ID_BODY: iff->body_pos = avio_tell(pb); iff->body_size = data_size; break; case ID_CHAN: if (data_size < 4) return AVERROR_INVALIDDATA; st->codec->channels = (avio_rb32(pb) < 6) ? 1 : 2;
+ show +
49
50
51
52
53
54
break; case ID_CMAP: st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata)
+ show +
55
56
57
58
59
60
61
62
63
64
return AVERROR(ENOMEM); if (avio_read(pb, st->codec->extradata, data_size) < 0) return AVERROR(EIO); break; case ID_BMHD: st->codec->codec_type = AVMEDIA_TYPE_VIDEO; if (data_size <= 8) return AVERROR_INVALIDDATA; st->codec->width = avio_rb16(pb);
.\cloneFuncs\totalClone\Type-3\CVE-2013-2495_before_6mo_1343093028_iff_read_header.c
39
40
41
42
43
44
45
46
47
48
case ID_BODY: iff->body_pos = avio_tell(pb); iff->body_size = data_size; break; case ID_CHAN: if (data_size < 4) return AVERROR_INVALIDDATA; st->codec->channels = (avio_rb32(pb) < 6) ? 1 : 2;
+ show +
49
50
51
52
53
54
break; case ID_CMAP: st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata)
+ show +
55
56
57
58
59
60
61
62
63
64
return AVERROR(ENOMEM); if (avio_read(pb, st->codec->extradata, data_size) < 0) return AVERROR(EIO); break; case ID_BMHD: st->codec->codec_type = AVMEDIA_TYPE_VIDEO; if (data_size <= 8) return AVERROR_INVALIDDATA; st->codec->width = avio_rb16(pb);

[linux_CVE-2013-2851_1372888874_osd_probe.diff] osd_probe_OLD.c #1
oud->class_dev.class = &osd_uld_class; oud->class_dev.parent = dev; oud->class_dev.release = __remove; - error = dev_set_name(&oud->class_dev, disk->disk_name); + error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); if (error) { OSD_ERR("dev_set_name failed => %d\n", error); goto err_put_cdev;
.\cloneFuncs\totalClone\Type-1\CVE-2013-2851_before_1mo_1351115501_osd_probe.c
61
62
63
64
65
66
67
68
69
70
oud->cdev.owner = THIS_MODULE; error = cdev_add(&oud->cdev, MKDEV(SCSI_OSD_MAJOR, oud->minor), 1); if (error) { OSD_ERR("cdev_add failed\n"); goto err_put_disk; } /* class device member */ oud->class_dev.devt = oud->cdev.dev;
+ show +
71
72
73
74
75
76
77
oud->class_dev.class = &osd_uld_class; oud->class_dev.parent = dev; oud->class_dev.release = __remove; error = dev_set_name(&oud->class_dev, disk->disk_name); if (error) { OSD_ERR("dev_set_name failed => %d\n", error); goto err_put_cdev;
+ show +
78
79
80
81
82
83
84
85
86
87
} error = device_register(&oud->class_dev); if (error) { OSD_ERR("device_register failed => %d\n", error); goto err_put_cdev; } get_device(&oud->class_dev);

[linux_CVE-2013-2852_1368222501_b43_request_firmware.diff] b43_request_firmware_OLD.c #1
for (i = 0; i < B43_NR_FWTYPES; i++) { errmsg = ctx->errors[i]; if (strlen(errmsg)) - b43err(dev->wl, errmsg); + b43err(dev->wl, "%s", errmsg); } b43_print_fw_helptext(dev->wl, 1); goto out;
.\cloneFuncs\totalClone\Type-1\CVE-2013-2852_before_1mo_1365617394_b43_request_firmware.c
23
24
25
26
27
28
29
30
31
32
/* proprietary fw not found, try open source */ ctx->req_type = B43_FWTYPE_OPENSOURCE; err = b43_try_request_fw(ctx); if (!err) goto start_ieee80211; /* Successfully loaded it. */ if(ctx->fatal_failure) goto out; /* Could not find a usable firmware. Print the errors. */
+ show +
33
34
35
36
37
38
39
for (i = 0; i < B43_NR_FWTYPES; i++) { errmsg = ctx->errors[i]; if (strlen(errmsg)) b43err(dev->wl, errmsg); } b43_print_fw_helptext(dev->wl, 1); goto out;
+ show +
40
41
42
43
44
45
46
47
48
49
start_ieee80211: wl->hw->queues = B43_QOS_QUEUE_NUM; if (!modparam_qos || dev->fw.opensource) wl->hw->queues = 1; err = ieee80211_register_hw(wl->hw); if (err) goto err_one_core_detach; wl->hw_registred = true;

[linux_CVE-2013-2888_1377721795_hid_close_report.diff] hid_close_report_OLD.c #1
for (i = 0; i < HID_REPORT_TYPES; i++) { struct hid_report_enum *report_enum = device->report_enum + i; - for (j = 0; j < 256; j++) { + for (j = 0; j < HID_MAX_IDS; j++) { struct hid_report *report = report_enum->report_id_hash[j]; if (report) hid_free_report(report);
.\cloneFuncs\totalClone\Type-1\CVE-2013-2888_before_1mo_1372942946_hid_close_report.c
1
2
3
4
static void hid_close_report(struct hid_device *device) { unsigned i, j;
+ show +
5
6
7
8
9
10
11
for (i = 0; i < HID_REPORT_TYPES; i++) { struct hid_report_enum *report_enum = device->report_enum + i; for (j = 0; j < 256; j++) { struct hid_report *report = report_enum->report_id_hash[j]; if (report) hid_free_report(report);
+ show +
12
13
14
15
16
17
18
19
20
21
} memset(report_enum, 0, sizeof(*report_enum)); INIT_LIST_HEAD(&report_enum->report_list); } kfree(device->rdesc); device->rdesc = NULL; device->rsize = 0; kfree(device->collection);

[linux_CVE-2013-2888_1377721795_hid_parser_global.diff] hid_parser_global_OLD.c #1
case HID_GLOBAL_ITEM_TAG_REPORT_ID: parser->global.report_id = item_udata(item); - if (parser->global.report_id == 0) { - hid_err(parser->device, "report_id 0 is invalid\n"); + if (parser->global.report_id == 0 || + parser->global.report_id >= HID_MAX_IDS) { + hid_err(parser->device, "report_id %u is invalid\n", + parser->global.report_id); return -1; } return 0;
.\cloneFuncs\totalClone\Type-1\CVE-2013-2888_before_1mo_1372942946_hid_parser_global.c
76
77
78
79
80
81
82
83
84
85
case HID_GLOBAL_ITEM_TAG_REPORT_COUNT: parser->global.report_count = item_udata(item); if (parser->global.report_count > HID_MAX_USAGES) { hid_err(parser->device, "invalid report_count %d\n", parser->global.report_count); return -1; } return 0;
+ show +
86
87
88
89
90
91
92
case HID_GLOBAL_ITEM_TAG_REPORT_ID: parser->global.report_id = item_udata(item); if (parser->global.report_id == 0) { hid_err(parser->device, "report_id 0 is invalid\n"); return -1; } return 0;
+ show +
93
94
95
96
97
98
default: hid_err(parser->device, "unknown global tag 0x%x\n", item->tag); return -1; } }

[linux_CVE-2013-2895_1378929416_logi_dj_probe.diff] logi_dj_probe_OLD.c #1
goto hid_parse_fail; } + if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, + 0, DJREPORT_SHORT_LENGTH - 1)) { + retval = -ENODEV; + goto hid_parse_fail; + } + /* Starts the usb device and connects to upper interfaces hiddev and * hidraw */ retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
.\cloneFuncs\totalClone\Type-1\CVE-2013-2895_after_1mo_1384556697_logi_dj_probe.c
48
49
50
51
52
53
54
55
56
57
retval = hid_parse(hdev); if (retval) { dev_err(&hdev->dev, "%s:parse of interface 2 failed\n", __func__); goto hid_parse_fail; } if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, 0, DJREPORT_SHORT_LENGTH - 1)) { retval = -ENODEV;
+ show +
58
59
60
61
62
63
goto hid_parse_fail; } /* Starts the usb device and connects to upper interfaces hiddev and * hidraw */ retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
+ show +
64
65
66
67
68
69
70
71
72
73
if (retval) { dev_err(&hdev->dev, "%s:hid_hw_start returned error\n", __func__); goto hid_hw_start_fail; } retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0); if (retval < 0) { dev_err(&hdev->dev, "%s:logi_dj_recv_switch_to_dj_mode returned error:%d\n",
.\cloneFuncs\totalClone\Type-1\CVE-2013-2895_before_imd_1378461517_logi_dj_probe.c
42
43
44
45
46
47
48
49
50
51
hid_set_drvdata(hdev, djrcv_dev); /* Call to usbhid to fetch the HID descriptors of interface 2 and * subsequently call to the hid/hid-core to parse the fetched * descriptors, this will in turn create the hidraw and hiddev nodes * for interface 2 of the receiver */ retval = hid_parse(hdev); if (retval) { dev_err(&hdev->dev, "%s:parse of interface 2 failed\n", __func__);
+ show +
52
53
54
55
56
57
goto hid_parse_fail; } /* Starts the usb device and connects to upper interfaces hiddev and * hidraw */ retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
+ show +
58
59
60
61
62
63
64
65
66
67
if (retval) { dev_err(&hdev->dev, "%s:hid_hw_start returned error\n", __func__); goto hid_hw_start_fail; } retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0); if (retval < 0) { dev_err(&hdev->dev, "%s:logi_dj_recv_switch_to_dj_mode returned error:%d\n",
.\cloneFuncs\totalClone\Type-2\CVE-2013-2895_before_1mo_1376040859_logi_dj_probe.c
42
43
44
45
46
47
48
49
50
51
hid_set_drvdata(hdev, djrcv_dev); /* Call to usbhid to fetch the HID descriptors of interface 2 and * subsequently call to the hid/hid-core to parse the fetched * descriptors, this will in turn create the hidraw and hiddev nodes * for interface 2 of the receiver */ retval = hid_parse(hdev); if (retval) { dev_err(&hdev->dev, "%s:parse of interface 2 failed\n", __func__);
+ show +
52
53
54
55
56
57
goto hid_parse_fail; } /* Starts the usb device and connects to upper interfaces hiddev and * hidraw */ retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
+ show +
58
59
60
61
62
63
64
65
66
67
if (retval) { dev_err(&hdev->dev, "%s:hid_hw_start returned error\n", __func__); goto hid_hw_start_fail; } retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0); if (retval < 0) { dev_err(&hdev->dev, "%s:logi_dj_recv_switch_to_dj_mode returned error:%d\n",
.\cloneFuncs\totalClone\Type-3\CVE-2013-2895_before_6mo_1362823093_logi_dj_probe.c
42
43
44
45
46
47
48
49
50
51
hid_set_drvdata(hdev, djrcv_dev); /* Call to usbhid to fetch the HID descriptors of interface 2 and * subsequently call to the hid/hid-core to parse the fetched * descriptors, this will in turn create the hidraw and hiddev nodes * for interface 2 of the receiver */ retval = hid_parse(hdev); if (retval) { dev_err(&hdev->dev, "%s:parse of interface 2 failed\n", __func__);
+ show +
52
53
54
55
56
57
goto hid_parse_fail; } /* Starts the usb device and connects to upper interfaces hiddev and * hidraw */ retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
+ show +
58
59
60
61
62
63
64
65
66
67
if (retval) { dev_err(&hdev->dev, "%s:hid_hw_start returned error\n", __func__); goto hid_hw_start_fail; } retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0); if (retval < 0) { dev_err(&hdev->dev, "%s:logi_dj_recv_switch_to_dj_mode returned error:%d\n",

[linux_CVE-2013-2895_1378929416_logi_dj_recv_send_report.diff] logi_dj_recv_send_report_OLD.c #1
struct hid_report *report; struct hid_report_enum *output_report_enum; u8 *data = (u8 *)(&dj_report->device_index); - int i; + unsigned int i; output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
.\cloneFuncs\totalClone\Type-1\CVE-2013-2895_before_1mo_1376040859_logi_dj_recv_send_report.c
1
2
3
4
static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, struct dj_report *dj_report) { struct hid_device *hdev = djrcv_dev->hdev;
+ show +
5
6
7
8
9
10
11
struct hid_report *report; struct hid_report_enum *output_report_enum; u8 *data = (u8 *)(&dj_report->device_index); int i; output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
+ show +
12
13
14
15
16
17
18
19
20
21
if (!report) { dev_err(&hdev->dev, "%s: unable to find dj report\n", __func__); return -ENODEV; } for (i = 0; i < report->field[0]->report_count; i++) report->field[0]->value[i] = data[i]; hid_hw_request(hdev, report, HID_REQ_SET_REPORT);

[linux_CVE-2013-2897_1378929418_mt_touch_input_mapping.diff] mt_touch_input_mapping_OLD.c #1
mt_store_field(usage, td, hi); return 1; case HID_DG_CONTACTCOUNT: + /* Ignore if indexes are out of bounds. */ + if (field->index >= field->report->maxfield || + usage->usage_index >= field->report_count) + return 1; td->cc_index = field->index; td->cc_value_index = usage->usage_index; return 1;
.\cloneFuncs\totalClone\Type-1\CVE-2013-2897_before_1mo_1374687485_mt_touch_input_mapping.c
98
99
100
101
102
103
104
105
106
107
input_set_abs_params(hi->input, ABS_MT_ORIENTATION, 0, 1, 0, 0); } mt_store_field(usage, td, hi); return 1; case HID_DG_TIPPRESSURE: hid_map_usage(hi, usage, bit, max, EV_ABS, ABS_MT_PRESSURE); set_abs(hi->input, ABS_MT_PRESSURE, field, cls->sn_pressure);
+ show +
108
109
110
111
112
113
mt_store_field(usage, td, hi); return 1; case HID_DG_CONTACTCOUNT: td->cc_index = field->index; td->cc_value_index = usage->usage_index; return 1;
+ show +
114
115
116
117
118
119
120
121
122
123
case HID_DG_CONTACTMAX: /* we don't set td->last_slot_field as contactcount and * contact max are global to the report */ return -1; case HID_DG_TOUCH: /* Legacy devices use TIPSWITCH and not TOUCH. * Let's just ignore this field. */ return -1; } /* let hid-input decide for the others */

[linux_CVE-2013-2897_1378929418_mt_feature_mapping.diff] mt_feature_mapping_OLD.c #1
struct hid_field *field, struct hid_usage *usage) { struct mt_device *td = hid_get_drvdata(hdev); - int i; switch (usage->hid) { case HID_DG_INPUTMODE: - td->inputmode = field->report->id; - td->inputmode_index = 0; /* has to be updated below */ - - for (i=0; i < field->maxusage; i++) { - if (field->usage[i].hid == usage->hid) { - td->inputmode_index = i; - break; - } + /* Ignore if value index is out of bounds. */ + if (usage->usage_index >= field->report_count) { + dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); + break; } + td->inputmode = field->report->id; + td->inputmode_index = usage->usage_index; + break; case HID_DG_CONTACTMAX: td->maxcontact_report_id = field->report->id;
.\cloneFuncs\totalClone\Type-3\CVE-2013-2897_before_1mo_1374687485_mt_feature_mapping.c
1
static void mt_feature_mapping(struct hid_device *hdev,
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
struct hid_field *field, struct hid_usage *usage) { struct mt_device *td = hid_get_drvdata(hdev); int i; switch (usage->hid) { case HID_DG_INPUTMODE: td->inputmode = field->report->id; td->inputmode_index = 0; /* has to be updated below */ for (i=0; i < field->maxusage; i++) { if (field->usage[i].hid == usage->hid) { td->inputmode_index = i; break; } } break; case HID_DG_CONTACTMAX: td->maxcontact_report_id = field->report->id;
+ show +
22
23
24
25
26
27
28
29
30
31
td->maxcontacts = field->value[0]; if (!td->maxcontacts && field->logical_maximum <= MT_MAX_MAXCONTACT) td->maxcontacts = field->logical_maximum; if (td->mtclass.maxcontacts) /* check if the maxcontacts is given by the class */ td->maxcontacts = td->mtclass.maxcontacts; break; case 0xff0000c5:

[linux_CVE-2013-2898_1377721904_sensor_hub_get_feature.diff] sensor_hub_get_feature_OLD.c #1
mutex_lock(&data->mutex); report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); - if (!report || (field_index >= report->maxfield)) { + if (!report || (field_index >= report->maxfield) || + report->field[field_index]->report_count < 1) { ret = -EINVAL; goto done_proc; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-2898_before_1mo_1361788307_sensor_hub_get_feature.c
1
2
3
4
5
6
7
int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, u32 field_index, s32 *value) { struct hid_report *report; struct sensor_hub_data *data = hid_get_drvdata(hsdev->hdev); int ret = 0;
+ show +
8
9
10
11
12
13
mutex_lock(&data->mutex); report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); if (!report || (field_index >= report->maxfield)) { ret = -EINVAL; goto done_proc; }
+ show +
14
15
16
17
18
19
20
21
22
hid_hw_request(hsdev->hdev, report, HID_REQ_GET_REPORT); hid_hw_wait(hsdev->hdev); *value = report->field[field_index]->value[0]; done_proc: mutex_unlock(&data->mutex); return ret; }
.\cloneFuncs\totalClone\Type-2\CVE-2013-2898_before_6mo_1361788306_sensor_hub_get_feature.c
1
2
3
4
5
6
7
int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, u32 field_index, s32 *value) { struct hid_report *report; struct sensor_hub_data *data = hid_get_drvdata(hsdev->hdev); int ret = 0;
+ show +
8
9
10
11
12
13
mutex_lock(&data->mutex); report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); if (!report || (field_index >= report->maxfield)) { ret = -EINVAL; goto done_proc; }
+ show +
14
15
16
17
18
19
20
21
22
hid_hw_request(hsdev->hdev, report, HID_REQ_GET_REPORT); usbhid_wait_io(hsdev->hdev); *value = report->field[field_index]->value[0]; done_proc: mutex_unlock(&data->mutex); return ret; }

[linux_CVE-2013-2899_1377721912_picolcd_operation_mode_store.diff] picolcd_operation_mode_store_OLD.c #1
buf += 10; cnt -= 10; } - if (!report) + if (!report || report->maxfield != 1) return -EINVAL; while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
.\cloneFuncs\totalClone\Type-1\CVE-2013-2899_before_imd_1361788306_picolcd_operation_mode_store.c
8
9
10
11
12
13
14
15
16
17
unsigned long flags; if (cnt >= 3 && strncmp("lcd", buf, 3) == 0) { if (data->status & PICOLCD_BOOTLOADER) report = picolcd_out_report(REPORT_EXIT_FLASHER, data->hdev); buf += 3; cnt -= 3; } else if (cnt >= 10 && strncmp("bootloader", buf, 10) == 0) { if (!(data->status & PICOLCD_BOOTLOADER)) report = picolcd_out_report(REPORT_EXIT_KEYBOARD, data->hdev);
+ show +
18
19
20
21
22
23
24
buf += 10; cnt -= 10; } if (!report) return -EINVAL; while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
+ show +
25
26
27
28
29
30
31
32
33
34
cnt--; if (cnt != 0) return -EINVAL; spin_lock_irqsave(&data->lock, flags); hid_set_field(report->field[0], 0, timeout & 0xff); hid_set_field(report->field[0], 1, (timeout >> 8) & 0xff); hid_hw_request(data->hdev, report, HID_REQ_SET_REPORT); spin_unlock_irqrestore(&data->lock, flags); return count;
.\cloneFuncs\totalClone\Type-2\CVE-2013-2899_before_1mo_1355783306_picolcd_operation_mode_store.c
8
9
10
11
12
13
14
15
16
17
unsigned long flags; if (cnt >= 3 && strncmp("lcd", buf, 3) == 0) { if (data->status & PICOLCD_BOOTLOADER) report = picolcd_out_report(REPORT_EXIT_FLASHER, data->hdev); buf += 3; cnt -= 3; } else if (cnt >= 10 && strncmp("bootloader", buf, 10) == 0) { if (!(data->status & PICOLCD_BOOTLOADER)) report = picolcd_out_report(REPORT_EXIT_KEYBOARD, data->hdev);
+ show +
18
19
20
21
22
23
24
buf += 10; cnt -= 10; } if (!report) return -EINVAL; while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
+ show +
25
26
27
28
29
30
31
32
33
34
cnt--; if (cnt != 0) return -EINVAL; spin_lock_irqsave(&data->lock, flags); hid_set_field(report->field[0], 0, timeout & 0xff); hid_set_field(report->field[0], 1, (timeout >> 8) & 0xff); usbhid_submit_report(data->hdev, report, USB_DIR_OUT); spin_unlock_irqrestore(&data->lock, flags); return count;

[linux_CVE-2013-2930_1383673871_perf_trace_event_perm.diff] perf_trace_event_perm_OLD.c #1
{ /* The ftrace function trace is allowed only for root. */ if (ftrace_event_is_function(tp_event) && - perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) + perf_paranoid_tracepoint_raw() && !capable(CAP_SYS_ADMIN)) return -EPERM; /* No tracing, just counting, so no obvious leak */
.\cloneFuncs\totalClone\Type-1\CVE-2013-2930_before_1mo_1371488524_perf_trace_event_perm.c
1
2
static int perf_trace_event_perm(struct ftrace_event_call *tp_event, struct perf_event *p_event)
+ show +
3
4
5
6
7
8
9
{ /* The ftrace function trace is allowed only for root. */ if (ftrace_event_is_function(tp_event) && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EPERM; /* No tracing, just counting, so no obvious leak */
+ show +
10
11
12
13
14
15
16
17
18
19
if (!(p_event->attr.sample_type & PERF_SAMPLE_RAW)) return 0; /* Some events are ok to be traced by non-root users... */ if (p_event->attach_state == PERF_ATTACH_TASK) { if (tp_event->flags & TRACE_EVENT_FL_CAP_ANY) return 0; } /*

[xen_CVE-2013-3495_1411045402_pci_vtd_quirk.diff] pci_vtd_quirk_OLD.c #1
action, seg, bus, dev, func); break; - case 0x100: case 0x104: case 0x108: /* Sandybridge */ - case 0x150: case 0x154: case 0x158: /* Ivybridge */ - case 0xa04: /* Haswell ULT */ - case 0xc00: case 0xc04: case 0xc08: /* Haswell */ + case 0x0040: case 0x0044: case 0x0048: /* Nehalem/Westmere */ + case 0x0100: case 0x0104: case 0x0108: /* Sandybridge */ + case 0x0150: case 0x0154: case 0x0158: /* Ivybridge */ + case 0x0a04: /* Haswell ULT */ + case 0x0c00: case 0x0c04: case 0x0c08: /* Haswell */ + case 0x1600: case 0x1604: case 0x1608: /* Broadwell */ bar = pci_conf_read32(seg, bus, dev, func, 0x6c); bar = (bar << 32) | pci_conf_read32(seg, bus, dev, func, 0x68); pa = bar & 0x7ffffff000UL; /* bits 12...38 */
.\cloneFuncs\totalClone\Type-1\CVE-2013-3495_before_imd_1401983354_pci_vtd_quirk.c
83
84
85
86
87
88
89
90
91
92
action = "Masked"; } else action = "Must not mask"; /* XPUNCERRMSK Send Completion with Unsupported Request */ val = pci_conf_read32(seg, bus, dev, func, 0x20c); pci_conf_write32(seg, bus, dev, func, 0x20c, val | (1 << 4)); printk(XENLOG_INFO "%s UR signaling on %04x:%02x:%02x.%u\n",
+ show +
93
94
95
96
97
98
99
100
101
102
action, seg, bus, dev, func); break; case 0x100: case 0x104: case 0x108: /* Sandybridge */ case 0x150: case 0x154: case 0x158: /* Ivybridge */ case 0xa04: /* Haswell ULT */ case 0xc00: case 0xc04: case 0xc08: /* Haswell */ bar = pci_conf_read32(seg, bus, dev, func, 0x6c); bar = (bar << 32) | pci_conf_read32(seg, bus, dev, func, 0x68); pa = bar & 0x7ffffff000UL; /* bits 12...38 */
+ show +
103
104
105
106
107
108
109
110
111
112
if ( (bar & 1) && pa && page_is_ram_type(paddr_to_pfn(pa), RAM_TYPE_RESERVED) ) { u32 __iomem *va = ioremap(pa, PAGE_SIZE); if ( va ) { __set_bit(0x1c8 * 8 + 20, va); iounmap(va); printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",

[ffmpeg_CVE-2013-3672_1407090258_mm_decode_inter.diff] mm_decode_inter_OLD.c #1
int replace_array = bytestream2_get_byte(&s->gb); for(j=0; j<8; j++) { int replace = (replace_array >> (7-j)) & 1; + if (x + half_horiz >= s->avctx->width) + return AVERROR_INVALIDDATA; if (replace) { int color = bytestream2_get_byte(&data_ptr); s->frame->data[0][y*s->frame->linesize[0] + x] = color;
.\cloneFuncs\totalClone\Type-1\CVE-2013-3672_before_imd_1383988486_mm_decode_inter.c
16
17
18
19
20
21
22
23
24
25
if (length==0) { y += x; continue; } if (y + half_vert >= s->avctx->height) return 0; for(i=0; i<length; i++) {
+ show +
26
27
28
29
30
31
int replace_array = bytestream2_get_byte(&s->gb); for(j=0; j<8; j++) { int replace = (replace_array >> (7-j)) & 1; if (replace) { int color = bytestream2_get_byte(&data_ptr); s->frame->data[0][y*s->frame->linesize[0] + x] = color;
+ show +
32
33
34
35
36
37
38
39
40
41
if (half_horiz) s->frame->data[0][y*s->frame->linesize[0] + x + 1] = color; if (half_vert) { s->frame->data[0][(y+1)*s->frame->linesize[0] + x] = color; if (half_horiz) s->frame->data[0][(y+1)*s->frame->linesize[0] + x + 1] = color; } } x += 1 + half_horiz; }

[ffmpeg_CVE-2013-3674_1407322010_cdg_decode_frame.diff] cdg_decode_frame_OLD.c #1
static int cdg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; + GetByteContext gb; int buf_size = avpkt->size; int ret; uint8_t command, inst;
.\cloneFuncs\totalClone\Type-1\CVE-2013-3674_before_1mo_1353530086_cdg_decode_frame.c
+ show +
1
2
3
4
5
6
7
static int cdg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; int ret; uint8_t command, inst;
+ show +
8
9
10
11
12
13
14
15
16
17
uint8_t cdg_data[CDG_DATA_SIZE]; AVFrame *frame = data; CDGraphicsContext *cc = avctx->priv_data; if (buf_size < CDG_MINIMUM_PKT_SIZE) { av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); return AVERROR(EINVAL); } ret = ff_reget_buffer(avctx, cc->frame);
.\cloneFuncs\totalClone\Type-3\CVE-2013-3674_before_6mo_1359234139_cdg_decode_frame.c
+ show +
1
2
3
4
5
6
7
static int cdg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; int ret; uint8_t command, inst;
+ show +
8
9
10
11
12
13
14
15
16
17
uint8_t cdg_data[CDG_DATA_SIZE]; AVFrame new_frame; CDGraphicsContext *cc = avctx->priv_data; if (buf_size < CDG_MINIMUM_PKT_SIZE) { av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); return AVERROR(EINVAL); } ret = avctx->reget_buffer(avctx, &cc->frame);

[ffmpeg_CVE-2013-3674_1407322010_cdg_decode_frame.diff] cdg_decode_frame_OLD.c #2
AVFrame *frame = data; CDGraphicsContext *cc = avctx->priv_data; - if (buf_size < CDG_MINIMUM_PKT_SIZE) { - av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); - return AVERROR(EINVAL); - } + bytestream2_init(&gb, avpkt->data, avpkt->size); + ret = ff_reget_buffer(avctx, cc->frame); if (ret) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-3674_before_1mo_1353530086_cdg_decode_frame.c
1
2
3
4
5
6
7
8
static int cdg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; int ret; uint8_t command, inst; uint8_t cdg_data[CDG_DATA_SIZE];
+ show +
9
10
11
12
13
14
15
16
17
18
AVFrame *frame = data; CDGraphicsContext *cc = avctx->priv_data; if (buf_size < CDG_MINIMUM_PKT_SIZE) { av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); return AVERROR(EINVAL); } ret = ff_reget_buffer(avctx, cc->frame); if (ret) {
+ show +
19
20
21
22
23
24
25
26
27
28
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return ret; } if (!avctx->frame_number) memset(cc->frame->data[0], 0, cc->frame->linesize[0] * avctx->height); command = bytestream_get_byte(&buf); inst = bytestream_get_byte(&buf); inst &= CDG_MASK; buf += 2; /// skipping 2 unneeded bytes

[ffmpeg_CVE-2013-3674_1407322010_cdg_decode_frame.diff] cdg_decode_frame_OLD.c #3
if (!avctx->frame_number) memset(cc->frame->data[0], 0, cc->frame->linesize[0] * avctx->height); - command = bytestream_get_byte(&buf); - inst = bytestream_get_byte(&buf); + command = bytestream2_get_byte(&gb); + inst = bytestream2_get_byte(&gb); inst &= CDG_MASK; - buf += 2; /// skipping 2 unneeded bytes - bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); + bytestream2_skip(&gb, 2); + bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data)); if ((command & CDG_MASK) == CDG_COMMAND) { switch (inst) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-3674_before_1mo_1353530086_cdg_decode_frame.c
12
13
14
15
16
17
18
19
20
21
if (buf_size < CDG_MINIMUM_PKT_SIZE) { av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); return AVERROR(EINVAL); } ret = ff_reget_buffer(avctx, cc->frame); if (ret) { av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return ret; }
+ show +
22
23
24
25
26
27
28
29
30
31
32
if (!avctx->frame_number) memset(cc->frame->data[0], 0, cc->frame->linesize[0] * avctx->height); command = bytestream_get_byte(&buf); inst = bytestream_get_byte(&buf); inst &= CDG_MASK; buf += 2; /// skipping 2 unneeded bytes bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); if ((command & CDG_MASK) == CDG_COMMAND) { switch (inst) {
+ show +
33
34
35
36
37
38
39
40
41
42
case CDG_INST_MEMORY_PRESET: if (!(cdg_data[1] & 0x0F)) memset(cc->frame->data[0], cdg_data[0] & 0x0F, cc->frame->linesize[0] * CDG_FULL_HEIGHT); break; case CDG_INST_LOAD_PAL_LO: case CDG_INST_LOAD_PAL_HIGH: if (buf_size - CDG_HEADER_SIZE < CDG_DATA_SIZE) { av_log(avctx, AV_LOG_ERROR, "buffer too small for loading palette\n"); return AVERROR(EINVAL);

[qemu_CVE-2013-4149_1398690501_virtio_net_load.diff] virtio_net_load_OLD.c #1
if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { qemu_get_buffer(f, n->mac_table.macs, n->mac_table.in_use * ETH_ALEN); - } else if (n->mac_table.in_use) { - uint8_t *buf = g_malloc0(n->mac_table.in_use); - qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); - g_free(buf); + } else { + int64_t i; + + /* Overflow detected - can happen if source has a larger MAC table. + * We simply set overflow flag so there's no need to maintain the + * table of addresses, discard them all. + * Note: 64 bit math to avoid integer overflow. + */ + for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) { + qemu_get_byte(f); + } n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1; n->mac_table.in_use = 0; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-4149_before_imd_1396543856_virtio_net_load.c
26
27
28
29
30
31
32
33
34
35
n->allmulti = qemu_get_be32(f); } else { n->promisc = qemu_get_byte(f); n->allmulti = qemu_get_byte(f); } } if (version_id >= 5) { n->mac_table.in_use = qemu_get_be32(f); /* MAC_TABLE_ENTRIES may be different from the saved image */
+ show +
36
37
38
39
40
41
42
43
44
45
if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { qemu_get_buffer(f, n->mac_table.macs, n->mac_table.in_use * ETH_ALEN); } else if (n->mac_table.in_use) { uint8_t *buf = g_malloc0(n->mac_table.in_use); qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); g_free(buf); n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1; n->mac_table.in_use = 0; }
+ show +
46
47
48
49
50
51
52
53
54
55
} if (version_id >= 6) qemu_get_buffer(f, (uint8_t *)n->vlans, MAX_VLAN >> 3); if (version_id >= 7) { if (qemu_get_be32(f) && !peer_has_vnet_hdr(n)) { error_report("virtio-net: saved image requires vnet_hdr=on"); return -1; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-4150_before_1mo_1392894849_virtio_net_load.c
26
27
28
29
30
31
32
33
34
35
n->allmulti = qemu_get_be32(f); } else { n->promisc = qemu_get_byte(f); n->allmulti = qemu_get_byte(f); } } if (version_id >= 5) { n->mac_table.in_use = qemu_get_be32(f); /* MAC_TABLE_ENTRIES may be different from the saved image */
+ show +
36
37
38
39
40
41
42
43
44
45
if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { qemu_get_buffer(f, n->mac_table.macs, n->mac_table.in_use * ETH_ALEN); } else if (n->mac_table.in_use) { uint8_t *buf = g_malloc0(n->mac_table.in_use); qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); g_free(buf); n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1; n->mac_table.in_use = 0; }
+ show +
46
47
48
49
50
51
52
53
54
55
} if (version_id >= 6) qemu_get_buffer(f, (uint8_t *)n->vlans, MAX_VLAN >> 3); if (version_id >= 7) { if (qemu_get_be32(f) && !peer_has_vnet_hdr(n)) { error_report("virtio-net: saved image requires vnet_hdr=on"); return -1; }

[qemu_CVE-2013-4150_1396543856_virtio_net_load.diff] virtio_net_load_OLD.c #1
} n->curr_queues = qemu_get_be16(f); + if (n->curr_queues > n->max_queues) { + error_report("virtio-net: curr_queues %x > max_queues %x", + n->curr_queues, n->max_queues); + return -1; + } for (i = 1; i < n->curr_queues; i++) { n->vqs[i].tx_waiting = qemu_get_be32(f); }
.\cloneFuncs\totalClone\Type-1\CVE-2013-4150_before_1mo_1392894849_virtio_net_load.c
71
72
73
74
75
76
77
78
79
80
if (qemu_get_byte(f) && !peer_has_ufo(n)) { error_report("virtio-net: saved image requires TUN_F_UFO support"); return -1; } } if (n->max_queues > 1) { if (n->max_queues != qemu_get_be16(f)) { error_report("virtio-net: different max_queues "); return -1;
+ show +
81
82
83
84
85
86
} n->curr_queues = qemu_get_be16(f); for (i = 1; i < n->curr_queues; i++) { n->vqs[i].tx_waiting = qemu_get_be32(f); }
+ show +
87
88
89
90
91
92
93
94
95
96
} if ((1 << VIRTIO_NET_F_CTRL_GUEST_OFFLOADS) & vdev->guest_features) { n->curr_guest_offloads = qemu_get_be64(f); } else { n->curr_guest_offloads = virtio_net_supported_guest_offloads(n); } if (peer_has_vnet_hdr(n)) { virtio_net_apply_guest_offloads(n);

[qemu_CVE-2013-4151_1396543874_virtio_load.diff] virtio_load_OLD.c #1
int virtio_load(VirtIODevice *vdev, QEMUFile *f) { - int num, i, ret; + int i, ret; + uint32_t num; uint32_t features; uint32_t supported_features; BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
.\cloneFuncs\totalClone\Type-1\CVE-2013-4151_before_1mo_1387256849_virtio_load.c
+ show +
1
2
3
4
5
6
int virtio_load(VirtIODevice *vdev, QEMUFile *f) { int num, i, ret; uint32_t features; uint32_t supported_features; BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
+ show +
7
8
9
10
11
12
13
14
15
16
VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus); if (k->load_config) { ret = k->load_config(qbus->parent, f); if (ret) return ret; } qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr);

[qemu_CVE-2013-4151_1396543874_virtio_load.diff] virtio_load_OLD.c #2
num = qemu_get_be32(f); + if (num > VIRTIO_PCI_QUEUE_MAX) { + error_report("Invalid number of PCI queues: 0x%x", num); + return -1; + } + for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); if (k->has_variable_vring_alignment) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-4151_before_1mo_1387256849_virtio_load.c
19
20
21
22
23
24
25
26
27
28
if (virtio_set_features(vdev, features) < 0) { supported_features = k->get_features(qbus->parent); error_report("Features 0x%x unsupported. Allowed features: 0x%x", features, supported_features); return -1; } vdev->config_len = qemu_get_be32(f); qemu_get_buffer(f, vdev->config, vdev->config_len);
+ show +
29
30
31
32
33
num = qemu_get_be32(f); for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); if (k->has_variable_vring_alignment) {
+ show +
34
35
36
37
38
39
40
41
42
43
vdev->vq[i].vring.align = qemu_get_be32(f); } vdev->vq[i].pa = qemu_get_be64(f); qemu_get_be16s(f, &vdev->vq[i].last_avail_idx); vdev->vq[i].signalled_used_valid = false; vdev->vq[i].notification = true; if (vdev->vq[i].pa) { uint16_t nheads; virtqueue_init(&vdev->vq[i]);

[qemu_CVE-2013-6399_1396543906_virtio_load.diff] virtio_load_OLD.c #1
qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); + if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { + return -1; + } qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-4151_before_1mo_1387256849_virtio_load.c
5
6
7
8
9
10
11
12
13
14
uint32_t supported_features; BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus); if (k->load_config) { ret = k->load_config(qbus->parent, f); if (ret) return ret; }
+ show +
15
16
17
18
19
20
qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) {
+ show +
21
22
23
24
25
26
27
28
29
30
supported_features = k->get_features(qbus->parent); error_report("Features 0x%x unsupported. Allowed features: 0x%x", features, supported_features); return -1; } vdev->config_len = qemu_get_be32(f); qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f);
.\cloneFuncs\totalClone\Type-1\CVE-2013-6399_before_imd_1396543874_virtio_load.c
6
7
8
9
10
11
12
13
14
15
uint32_t supported_features; BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus); if (k->load_config) { ret = k->load_config(qbus->parent, f); if (ret) return ret; }
+ show +
16
17
18
19
20
21
qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) {
+ show +
22
23
24
25
26
27
28
29
30
31
supported_features = k->get_features(qbus->parent); error_report("Features 0x%x unsupported. Allowed features: 0x%x", features, supported_features); return -1; } vdev->config_len = qemu_get_be32(f); qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f);

[qemu_CVE-2014-0182_1398690503_virtio_load.diff] virtio_load_OLD.c #2
features, supported_features); return -1; } - vdev->config_len = qemu_get_be32(f); + config_len = qemu_get_be32(f); + if (config_len != vdev->config_len) { + error_report("Unexpected config length 0x%x. Expected 0x%zx", + config_len, vdev->config_len); + return -1; + } qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4151_before_1mo_1387256849_virtio_load.c
13
14
15
16
17
18
19
20
21
22
} qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) { supported_features = k->get_features(qbus->parent); error_report("Features 0x%x unsupported. Allowed features: 0x%x",
+ show +
23
24
25
26
27
28
29
features, supported_features); return -1; } vdev->config_len = qemu_get_be32(f); qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f);
+ show +
30
31
32
33
34
35
36
37
38
39
for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); if (k->has_variable_vring_alignment) { vdev->vq[i].vring.align = qemu_get_be32(f); } vdev->vq[i].pa = qemu_get_be64(f); qemu_get_be16s(f, &vdev->vq[i].last_avail_idx); vdev->vq[i].signalled_used_valid = false; vdev->vq[i].notification = true;
.\cloneFuncs\totalClone\Type-1\CVE-2013-6399_after_imd_1396543913_virtio_load.c
17
18
19
20
21
22
23
24
25
26
qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { return -1; } qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) { supported_features = k->get_features(qbus->parent); error_report("Features 0x%x unsupported. Allowed features: 0x%x",
+ show +
27
28
29
30
31
32
33
features, supported_features); return -1; } vdev->config_len = qemu_get_be32(f); qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f);
+ show +
34
35
36
37
38
39
40
41
42
43
if (num > VIRTIO_PCI_QUEUE_MAX) { error_report("Invalid number of PCI queues: 0x%x", num); return -1; } for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); if (k->has_variable_vring_alignment) { vdev->vq[i].vring.align = qemu_get_be32(f);
.\cloneFuncs\totalClone\Type-1\CVE-2013-6399_before_imd_1396543874_virtio_load.c
14
15
16
17
18
19
20
21
22
23
} qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) { supported_features = k->get_features(qbus->parent); error_report("Features 0x%x unsupported. Allowed features: 0x%x",
+ show +
24
25
26
27
28
29
30
features, supported_features); return -1; } vdev->config_len = qemu_get_be32(f); qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f);
+ show +
31
32
33
34
35
36
37
38
39
40
if (num > VIRTIO_PCI_QUEUE_MAX) { error_report("Invalid number of PCI queues: 0x%x", num); return -1; } for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); if (k->has_variable_vring_alignment) { vdev->vq[i].vring.align = qemu_get_be32(f);

[libtiff_CVE-2013-4231_1376457533_readraster.diff] readraster_OLD.c #1
int status = 1; datasize = getc(infile); + if (datasize > 12) + return 0; clear = 1 << datasize; eoi = clear + 1; avail = clear + 2;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4231_before_1mo_1268247408_readraster.c
1
2
3
4
5
6
7
8
9
int readraster(void) { unsigned char *fill = raster; unsigned char buf[255]; register int bits=0; register unsigned long datum=0; register unsigned char *ch; register int count, code;
+ show +
10
11
12
13
14
15
int status = 1; datasize = getc(infile); clear = 1 << datasize; eoi = clear + 1; avail = clear + 2;
+ show +
16
17
18
19
20
21
22
23
24
25
oldcode = -1; codesize = datasize + 1; codemask = (1 << codesize) - 1; for (code = 0; code < clear; code++) { prefix[code] = 0; suffix[code] = code; } stackp = stack; for (count = getc(infile); count > 0; count = getc(infile)) { fread(buf,1,count,infile);

[libtiff_CVE-2013-4244_1379039690_TIFFAdvanceDirectory.diff] TIFFAdvanceDirectory_OLD.c #1
if (((uint64)poffa!=poff)||(poffb<poffa)||(poffb<(tmsize_t)sizeof(uint16))||(poffb>tif->tif_size)) { TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count"); + *nextdir=0; return(0); } _TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16));
.\cloneFuncs\totalClone\Type-1\CVE-2013-4244_before_1mo_1338958680_TIFFAdvanceDirectory.c
5
6
7
8
9
10
11
12
13
14
if (isMapped(tif)) { uint64 poff=*nextdir; if (!(tif->tif_flags&TIFF_BIGTIFF)) { tmsize_t poffa,poffb,poffc,poffd; uint16 dircount; uint32 nextdir32; poffa=(tmsize_t)poff; poffb=poffa+sizeof(uint16);
+ show +
15
16
17
18
19
20
if (((uint64)poffa!=poff)||(poffb<poffa)||(poffb<(tmsize_t)sizeof(uint16))||(poffb>tif->tif_size)) { TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count"); return(0); } _TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16));
+ show +
21
22
23
24
25
26
27
28
29
30
if (tif->tif_flags&TIFF_SWAB) TIFFSwabShort(&dircount); poffc=poffb+dircount*12; poffd=poffc+sizeof(uint32); if ((poffc<poffb)||(poffc<dircount*12)||(poffd<poffc)||(poffd<(tmsize_t)sizeof(uint32))||(poffd>tif->tif_size)) { TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory link"); return(0); } if (off!=NULL)

[linux_CVE-2013-4299_1381889867_persistent_prepare_exception.diff] persistent_prepare_exception_OLD.c #1
struct dm_exception *e) { struct pstore *ps = get_info(store); - uint32_t stride; - chunk_t next_free; sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev); /* Is there enough room ? */
.\cloneFuncs\totalClone\Type-1\CVE-2013-4299_before_1mo_1306525858_persistent_prepare_exception.c
1
static int persistent_prepare_exception(struct dm_exception_store *store,
+ show +
2
3
4
5
6
7
8
9
struct dm_exception *e) { struct pstore *ps = get_info(store); uint32_t stride; chunk_t next_free; sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev); /* Is there enough room ? */
+ show +
10
11
12
13
14
15
16
17
18
19
if (size < ((ps->next_free + 1) * store->chunk_size)) return -ENOSPC; e->new_chunk = ps->next_free; /* * Move onto the next free pending, making sure to take * into account the location of the metadata chunks. */ stride = (ps->exceptions_per_area + 1);

[linux_CVE-2013-4312_1453131369_free_pipe_info.diff] free_pipe_info_OLD.c #1
{ int i; + account_pipe_buffers(pipe, pipe->buffers, 0); + free_uid(pipe->user); for (i = 0; i < pipe->buffers; i++) { struct pipe_buffer *buf = pipe->bufs + i; if (buf->ops)
.\cloneFuncs\totalClone\Type-1\CVE-2013-4312_before_1mo_1445117168_free_pipe_info.c
1
void free_pipe_info(struct pipe_inode_info *pipe)
+ show +
2
3
4
5
6
7
{ int i; for (i = 0; i < pipe->buffers; i++) { struct pipe_buffer *buf = pipe->bufs + i; if (buf->ops)
+ show +
8
9
10
11
12
13
14
buf->ops->release(pipe, buf); } if (pipe->tmp_page) __free_page(pipe->tmp_page); kfree(pipe->bufs); kfree(pipe); }

[linux_CVE-2013-4312_1453131369_pipe_fcntl.diff] pipe_fcntl_OLD.c #1
if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { ret = -EPERM; goto out; + } else if ((too_many_pipe_buffers_hard(pipe->user) || + too_many_pipe_buffers_soft(pipe->user)) && + !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { + ret = -EPERM; + goto out; } ret = pipe_set_size(pipe, nr_pages); break;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4312_before_1mo_1445117168_pipe_fcntl.c
13
14
15
16
17
18
19
20
21
22
case F_SETPIPE_SZ: { unsigned int size, nr_pages; size = round_pipe_size(arg); nr_pages = size >> PAGE_SHIFT; ret = -EINVAL; if (!nr_pages) goto out;
+ show +
23
24
25
26
27
28
if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { ret = -EPERM; goto out; } ret = pipe_set_size(pipe, nr_pages); break;
+ show +
29
30
31
32
33
34
35
36
37
38
} case F_GETPIPE_SZ: ret = pipe->buffers * PAGE_SIZE; break; default: ret = -EINVAL; break; } out:

[qemu_CVE-2013-4344_1381304463_scsi_build_sense.diff] scsi_build_sense_OLD.c #1
buf[7] = 10; buf[12] = sense.asc; buf[13] = sense.ascq; - return MIN(len, 18); + return MIN(len, SCSI_SENSE_LEN); } else { /* Return descriptor format sense buffer */ buf[0] = 0x72;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4344_before_1mo_1377295347_scsi_build_sense.c
28
29
30
31
32
33
34
35
36
37
sense.asc = in_buf[2]; sense.ascq = in_buf[3]; } } memset(buf, 0, len); if (fixed) { /* Return fixed format sense buffer */ buf[0] = 0x70; buf[2] = sense.key;
+ show +
38
39
40
41
42
43
44
buf[7] = 10; buf[12] = sense.asc; buf[13] = sense.ascq; return MIN(len, 18); } else { /* Return descriptor format sense buffer */ buf[0] = 0x72;
+ show +
45
46
47
48
49
50
buf[1] = sense.key; buf[2] = sense.asc; buf[3] = sense.ascq; return 8; } }

[qemu_CVE-2013-4344_1381304463_scsi_target_emulate_inquiry.diff] scsi_target_emulate_inquiry_OLD.c #1
static bool scsi_target_emulate_inquiry(SCSITargetReq *r) { assert(r->req.dev->lun != r->req.lun); + + scsi_target_alloc_buf(&r->req, SCSI_INQUIRY_LEN); + if (r->req.cmd.buf[1] & 0x2) { /* Command support data - optional, not implemented */ return false;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4344_before_1mo_1377295347_scsi_target_emulate_inquiry.c
+ show +
1
2
3
4
5
6
static bool scsi_target_emulate_inquiry(SCSITargetReq *r) { assert(r->req.dev->lun != r->req.lun); if (r->req.cmd.buf[1] & 0x2) { /* Command support data - optional, not implemented */ return false;
+ show +
7
8
9
10
11
12
13
14
15
16
} if (r->req.cmd.buf[1] & 0x1) { /* Vital product data */ uint8_t page_code = r->req.cmd.buf[2]; r->buf[r->len++] = page_code ; /* this page */ r->buf[r->len++] = 0x00; switch (page_code) { case 0x00: /* Supported page codes, mandatory */

[qemu_CVE-2013-4344_1381304463_scsi_target_emulate_inquiry.diff] scsi_target_emulate_inquiry_OLD.c #2
return false; } /* done with EVPD */ - assert(r->len < sizeof(r->buf)); + assert(r->len < r->buf_len); r->len = MIN(r->req.cmd.xfer, r->len); return true; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-4344_before_1mo_1377295347_scsi_target_emulate_inquiry.c
15
16
17
18
19
20
21
22
23
24
switch (page_code) { case 0x00: /* Supported page codes, mandatory */ { int pages; pages = r->len++; r->buf[r->len++] = 0x00; /* list of supported pages (this page) */ r->buf[pages] = r->len - pages - 1; /* number of pages */ break; } default:
+ show +
25
26
27
28
29
30
31
return false; } /* done with EVPD */ assert(r->len < sizeof(r->buf)); r->len = MIN(r->req.cmd.xfer, r->len); return true; }
+ show +
32
33
34
35
36
37
38
39
40
41
/* Standard INQUIRY data */ if (r->req.cmd.buf[2] != 0) { return false; } /* PAGE CODE == 0 */ r->len = MIN(r->req.cmd.xfer, 36); memset(r->buf, 0, r->len); if (r->req.lun != 0) {

[qemu_CVE-2013-4344_1381304463_scsi_target_emulate_inquiry.diff] scsi_target_emulate_inquiry_OLD.c #3
} /* PAGE CODE == 0 */ - r->len = MIN(r->req.cmd.xfer, 36); + r->len = MIN(r->req.cmd.xfer, SCSI_INQUIRY_LEN); memset(r->buf, 0, r->len); if (r->req.lun != 0) { r->buf[0] = TYPE_NO_LUN;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4344_before_1mo_1377295347_scsi_target_emulate_inquiry.c
26
27
28
29
30
31
32
33
34
35
} /* done with EVPD */ assert(r->len < sizeof(r->buf)); r->len = MIN(r->req.cmd.xfer, r->len); return true; } /* Standard INQUIRY data */ if (r->req.cmd.buf[2] != 0) { return false;
+ show +
36
37
38
39
40
41
42
} /* PAGE CODE == 0 */ r->len = MIN(r->req.cmd.xfer, 36); memset(r->buf, 0, r->len); if (r->req.lun != 0) { r->buf[0] = TYPE_NO_LUN;
+ show +
43
44
45
46
47
48
49
50
51
52
} else { r->buf[0] = TYPE_NOT_PRESENT | TYPE_INACTIVE; r->buf[2] = 5; /* Version */ r->buf[3] = 2 | 0x10; /* HiSup, response data format */ r->buf[4] = r->len - 5; /* Additional Length = (Len - 1) - 4 */ r->buf[7] = 0x10 | (r->req.bus->info->tcq ? 0x02 : 0); /* Sync, TCQ. */ memcpy(&r->buf[8], "QEMU ", 8); memcpy(&r->buf[16], "QEMU TARGET ", 16); pstrcpy((char *) &r->buf[32], 4, qemu_get_version()); }

[qemu_CVE-2013-4344_1381304463_scsi_target_send_command.diff] scsi_target_send_command_OLD.c #1
} break; case REQUEST_SENSE: + scsi_target_alloc_buf(&r->req, SCSI_SENSE_LEN); r->len = scsi_device_get_sense(r->req.dev, r->buf, - MIN(req->cmd.xfer, sizeof r->buf), + MIN(req->cmd.xfer, r->buf_len), (req->cmd.buf[1] & 1) == 0); if (r->req.dev->sense_is_ua) { scsi_device_unit_attention_reported(req->dev);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4344_before_1mo_1377295347_scsi_target_send_command.c
4
5
6
7
8
9
10
11
12
13
switch (buf[0]) { case REPORT_LUNS: if (!scsi_target_emulate_report_luns(r)) { goto illegal_request; } break; case INQUIRY: if (!scsi_target_emulate_inquiry(r)) { goto illegal_request;
+ show +
14
15
16
17
18
19
20
21
} break; case REQUEST_SENSE: r->len = scsi_device_get_sense(r->req.dev, r->buf, MIN(req->cmd.xfer, sizeof r->buf), (req->cmd.buf[1] & 1) == 0); if (r->req.dev->sense_is_ua) { scsi_device_unit_attention_reported(req->dev);
+ show +
22
23
24
25
26
27
28
29
30
31
r->req.dev->sense_len = 0; r->req.dev->sense_is_ua = false; } break; default: scsi_req_build_sense(req, SENSE_CODE(LUN_NOT_SUPPORTED)); scsi_req_complete(req, CHECK_CONDITION); return 0; illegal_request: scsi_req_build_sense(req, SENSE_CODE(INVALID_FIELD));

[openssl_CVE-2013-4353_1389109055_ssl3_take_mac.diff] ssl3_take_mac_OLD.c #1
{ const char *sender; int slen; - + /* If no new cipher setup return immediately: other functions will + * set the appropriate error. + */ + if (s->s3->tmp.new_cipher == NULL) + return; if (s->state & SSL_ST_CONNECT) { sender=s->method->ssl3_enc->server_finished_label;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4353_before_1mo_1363016068_ssl3_take_mac.c
1
static void ssl3_take_mac(SSL *s)
+ show +
2
3
4
5
6
7
8
{ const char *sender; int slen; if (s->state & SSL_ST_CONNECT) { sender=s->method->ssl3_enc->server_finished_label;
+ show +
9
10
11
12
13
14
15
16
17
18
slen=s->method->ssl3_enc->server_finished_label_len; } else { sender=s->method->ssl3_enc->client_finished_label; slen=s->method->ssl3_enc->client_finished_label_len; } s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, sender,slen,s->s3->tmp.peer_finish_md);

[xen_CVE-2013-4355_1380543466_realmode_deliver_exception.diff] realmode_deliver_exception_OLD.c #1
again: last_byte = (vector * 4) + 3; - if ( idtr->limit < last_byte ) + if ( idtr->limit < last_byte || + hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) != + HVMCOPY_okay ) { /* Software interrupt? */ if ( insn_len != 0 )
.\cloneFuncs\totalClone\Type-1\CVE-2013-4355_before_1mo_1319557697_realmode_deliver_exception.c
6
7
8
9
10
11
12
13
14
15
struct segment_register *idtr, *csr; struct cpu_user_regs *regs = hvmemul_ctxt->ctxt.regs; uint32_t cs_eip, pstk; uint16_t frame[3]; unsigned int last_byte; idtr = hvmemul_get_seg_reg(x86_seg_idtr, hvmemul_ctxt); csr = hvmemul_get_seg_reg(x86_seg_cs, hvmemul_ctxt); __set_bit(x86_seg_cs, &hvmemul_ctxt->seg_reg_dirty);
+ show +
16
17
18
19
20
21
again: last_byte = (vector * 4) + 3; if ( idtr->limit < last_byte ) { /* Software interrupt? */ if ( insn_len != 0 )
+ show +
22
23
24
25
26
27
28
29
30
31
{ insn_len = 0; vector = TRAP_gp_fault; goto again; } /* Exception or hardware interrupt. */ switch ( vector ) { case TRAP_double_fault:

[xen_CVE-2013-4355_1380543466_realmode_deliver_exception.diff] realmode_deliver_exception_OLD.c #2
} } - (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4); - frame[0] = regs->eip + insn_len; frame[1] = csr->sel; frame[2] = regs->eflags & ~X86_EFLAGS_RF;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4355_before_1mo_1319557697_realmode_deliver_exception.c
30
31
32
33
34
35
36
37
38
39
{ case TRAP_double_fault: hvm_triple_fault(); return; case TRAP_gp_fault: vector = TRAP_double_fault; goto again; default: vector = TRAP_gp_fault; goto again;
+ show +
40
41
42
43
44
45
46
47
} } (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4); frame[0] = regs->eip + insn_len; frame[1] = csr->sel; frame[2] = regs->eflags & ~X86_EFLAGS_RF;
+ show +
48
49
50
51
52
53
54
55
56
57
/* We can't test hvmemul_ctxt->ctxt.sp_size: it may not be initialised. */ if ( hvmemul_ctxt->seg_reg[x86_seg_ss].attr.fields.db ) { regs->esp -= 6; pstk = regs->esp; } else { pstk = (uint16_t)(regs->esp - 6);

[xen_CVE-2013-4356_1380543505_sh_install_xen_entries_in_l4.diff] sh_install_xen_entries_in_l4_OLD.c #1
{ struct domain *d = v->domain; shadow_l4e_t *sl4e; + unsigned int slots; sl4e = sh_map_domain_page(sl4mfn); ASSERT(sl4e != NULL); ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t)); /* Copy the common Xen mappings from the idle domain */ + slots = (shadow_mode_external(d) + ? ROOT_PAGETABLE_XEN_SLOTS + : ROOT_PAGETABLE_PV_XEN_SLOTS); memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT], &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT], - ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t)); + slots * sizeof(l4_pgentry_t)); /* Install the per-domain mappings for this domain */ sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =
.\cloneFuncs\totalClone\Type-1\CVE-2013-4356_before_1mo_1367491076_sh_install_xen_entries_in_l4.c
1
void sh_install_xen_entries_in_l4(struct vcpu *v, mfn_t gl4mfn, mfn_t sl4mfn)
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{ struct domain *d = v->domain; shadow_l4e_t *sl4e; sl4e = sh_map_domain_page(sl4mfn); ASSERT(sl4e != NULL); ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t)); /* Copy the common Xen mappings from the idle domain */ memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT], &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT], ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t)); /* Install the per-domain mappings for this domain */ sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =
+ show +
17
18
19
20
21
22
23
24
25
26
shadow_l4e_from_mfn(page_to_mfn(d->arch.perdomain_l3_pg), __PAGE_HYPERVISOR); /* Shadow linear mapping for 4-level shadows. N.B. for 3-level * shadows on 64-bit xen, this linear mapping is later replaced by the * monitor pagetable structure, which is built in make_monitor_table * and maintained by sh_update_linear_entries. */ sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR);

[xen_CVE-2013-4361_1380543538_x86_emulate.diff] x86_emulate_OLD.c #1
break; case 4: /* fbld m80dec */ ea.bytes = 10; - dst = ea; + src = ea; if ( (rc = ops->read(src.mem.seg, src.mem.off, &src.val, src.bytes, ctxt)) != 0 ) goto done; - emulate_fpu_insn_memdst("fbld", src.val); + emulate_fpu_insn_memsrc("fbld", src.val); break; case 5: /* fild m64i */ ea.bytes = 8;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
ea.bytes = 2; dst = ea; dst.type = OP_MEM; emulate_fpu_insn_memdst("fists", dst.val); break; case 3: /* fistp m16i */ ea.bytes = 2; dst = ea; dst.type = OP_MEM; emulate_fpu_insn_memdst("fistps", dst.val);
+ show +
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
break; case 4: /* fbld m80dec */ ea.bytes = 10; dst = ea; if ( (rc = ops->read(src.mem.seg, src.mem.off, &src.val, src.bytes, ctxt)) != 0 ) goto done; emulate_fpu_insn_memdst("fbld", src.val); break; case 5: /* fild m64i */ ea.bytes = 8;
+ show +
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
src = ea; if ( (rc = ops->read(src.mem.seg, src.mem.off, &src.val, src.bytes, ctxt)) != 0 ) goto done; emulate_fpu_insn_memsrc("fildll", src.val); break; case 6: /* fbstp packed bcd */ ea.bytes = 10; dst = ea; dst.type = OP_MEM;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
ea.bytes = 2; dst = ea; dst.type = OP_MEM; emulate_fpu_insn_memdst("fists", dst.val); break; case 3: /* fistp m16i */ ea.bytes = 2; dst = ea; dst.type = OP_MEM; emulate_fpu_insn_memdst("fistps", dst.val);
+ show +
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
break; case 4: /* fbld m80dec */ ea.bytes = 10; dst = ea; if ( (rc = ops->read(src.mem.seg, src.mem.off, &src.val, src.bytes, ctxt)) != 0 ) goto done; emulate_fpu_insn_memdst("fbld", src.val); break; case 5: /* fild m64i */ ea.bytes = 8;
+ show +
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
src = ea; if ( (rc = ops->read(src.mem.seg, src.mem.off, &src.val, src.bytes, ctxt)) != 0 ) goto done; emulate_fpu_insn_memsrc("fildll", src.val); break; case 6: /* fbstp packed bcd */ ea.bytes = 10; dst = ea; dst.type = OP_MEM;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
ea.bytes = 2; dst = ea; dst.type = OP_MEM; emulate_fpu_insn_memdst("fists", dst.val); break; case 3: /* fistp m16i */ ea.bytes = 2; dst = ea; dst.type = OP_MEM; emulate_fpu_insn_memdst("fistps", dst.val);
+ show +
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
break; case 4: /* fbld m80dec */ ea.bytes = 10; dst = ea; if ( (rc = ops->read(src.mem.seg, src.mem.off, &src.val, src.bytes, ctxt)) != 0 ) goto done; emulate_fpu_insn_memdst("fbld", src.val); break; case 5: /* fild m64i */ ea.bytes = 8;
+ show +
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
src = ea; if ( (rc = ops->read(src.mem.seg, src.mem.off, &src.val, src.bytes, ctxt)) != 0 ) goto done; emulate_fpu_insn_memsrc("fildll", src.val); break; case 6: /* fbstp packed bcd */ ea.bytes = 10; dst = ea; dst.type = OP_MEM;

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #1
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &dst.val, op_bytes, ctxt, ops)) != 0 ) goto done; - if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) + if ( (rc = load_seg(src.val, dst.val, 0, ctxt, ops)) != 0 ) return rc; break;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
558
559
560
561
562
563
564
565
566
567
} case 0x07: /* pop %%es */ src.val = x86_seg_es; pop_seg: generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); fail_if(ops->write_segment == NULL); /* 64-bit mode: POP defaults to a 64-bit operand. */ if ( mode_64bit() && (op_bytes == 4) ) op_bytes = 8;
+ show +
568
569
570
571
572
573
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &dst.val, op_bytes, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) return rc; break;
+ show +
574
575
576
577
578
579
580
581
582
583
case 0x0e: /* push %%cs */ src.val = x86_seg_cs; goto push_seg; case 0x16: /* push %%ss */ src.val = x86_seg_ss; goto push_seg; case 0x17: /* pop %%ss */
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
559
560
561
562
563
564
565
566
567
568
} case 0x07: /* pop %%es */ src.val = x86_seg_es; pop_seg: generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); fail_if(ops->write_segment == NULL); /* 64-bit mode: POP defaults to a 64-bit operand. */ if ( mode_64bit() && (op_bytes == 4) ) op_bytes = 8;
+ show +
569
570
571
572
573
574
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &dst.val, op_bytes, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) return rc; break;
+ show +
575
576
577
578
579
580
581
582
583
584
case 0x0e: /* push %%cs */ src.val = x86_seg_cs; goto push_seg; case 0x16: /* push %%ss */ src.val = x86_seg_ss; goto push_seg; case 0x17: /* pop %%ss */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
558
559
560
561
562
563
564
565
566
567
} case 0x07: /* pop %%es */ src.val = x86_seg_es; pop_seg: generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); fail_if(ops->write_segment == NULL); /* 64-bit mode: POP defaults to a 64-bit operand. */ if ( mode_64bit() && (op_bytes == 4) ) op_bytes = 8;
+ show +
568
569
570
571
572
573
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &dst.val, op_bytes, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) return rc; break;
+ show +
574
575
576
577
578
579
580
581
582
583
case 0x0e: /* push %%cs */ src.val = x86_seg_cs; goto push_seg; case 0x16: /* push %%ss */ src.val = x86_seg_ss; goto push_seg; case 0x17: /* pop %%ss */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
558
559
560
561
562
563
564
565
566
567
} case 0x07: /* pop %%es */ src.val = x86_seg_es; pop_seg: generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); fail_if(ops->write_segment == NULL); /* 64-bit mode: POP defaults to a 64-bit operand. */ if ( mode_64bit() && (op_bytes == 4) ) op_bytes = 8;
+ show +
568
569
570
571
572
573
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &dst.val, op_bytes, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) return rc; break;
+ show +
574
575
576
577
578
579
580
581
582
583
case 0x0e: /* push %%cs */ src.val = x86_seg_cs; goto push_seg; case 0x16: /* push %%ss */ src.val = x86_seg_ss; goto push_seg; case 0x17: /* pop %%ss */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
523
524
525
526
527
528
529
530
531
532
} case 0x07: /* pop %%es */ src.val = x86_seg_es; pop_seg: generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); fail_if(ops->write_segment == NULL); /* 64-bit mode: POP defaults to a 64-bit operand. */ if ( mode_64bit() && (op_bytes == 4) ) op_bytes = 8;
+ show +
533
534
535
536
537
538
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &dst.val, op_bytes, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) return rc; break;
+ show +
539
540
541
542
543
544
545
546
547
548
case 0x0e: /* push %%cs */ src.val = x86_seg_cs; goto push_seg; case 0x16: /* push %%ss */ src.val = x86_seg_ss; goto push_seg; case 0x17: /* pop %%ss */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
526
527
528
529
530
531
532
533
534
535
} case 0x07: /* pop %%es */ src.val = x86_seg_es; pop_seg: generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); fail_if(ops->write_segment == NULL); /* 64-bit mode: POP defaults to a 64-bit operand. */ if ( mode_64bit() && (op_bytes == 4) ) op_bytes = 8;
+ show +
536
537
538
539
540
541
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &dst.val, op_bytes, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) return rc; break;
+ show +
542
543
544
545
546
547
548
549
550
551
case 0x0e: /* push %%cs */ src.val = x86_seg_cs; goto push_seg; case 0x16: /* push %%ss */ src.val = x86_seg_ss; goto push_seg; case 0x17: /* pop %%ss */
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
559
560
561
562
563
564
565
566
567
568
} case 0x07: /* pop %%es */ src.val = x86_seg_es; pop_seg: generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); fail_if(ops->write_segment == NULL); /* 64-bit mode: POP defaults to a 64-bit operand. */ if ( mode_64bit() && (op_bytes == 4) ) op_bytes = 8;
+ show +
569
570
571
572
573
574
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &dst.val, op_bytes, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) return rc; break;
+ show +
575
576
577
578
579
580
581
582
583
584
case 0x0e: /* push %%cs */ src.val = x86_seg_cs; goto push_seg; case 0x16: /* push %%ss */ src.val = x86_seg_ss; goto push_seg; case 0x17: /* pop %%ss */

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #2
enum x86_segment seg = decode_segment(modrm_reg); generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); - if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) + if ( (rc = load_seg(seg, src.val, 0, ctxt, ops)) != 0 ) goto done; if ( seg == x86_seg_ss ) ctxt->retire.flags.mov_ss = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
912
913
914
915
916
917
918
919
920
921
fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 ) goto done; dst.val = reg.sel; if ( dst.type == OP_MEM ) dst.bytes = 2; break; } case 0x8e: /* mov r/m,Sreg */ {
+ show +
922
923
924
925
926
927
928
enum x86_segment seg = decode_segment(modrm_reg); generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) goto done; if ( seg == x86_seg_ss ) ctxt->retire.flags.mov_ss = 1;
+ show +
929
930
931
932
933
934
935
936
937
938
dst.type = OP_NONE; break; } case 0x8d: /* lea */ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); dst.val = ea.mem.off; break; case 0x8f: /* pop (sole member of Grp1a) */
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
913
914
915
916
917
918
919
920
921
922
fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 ) goto done; dst.val = reg.sel; if ( dst.type == OP_MEM ) dst.bytes = 2; break; } case 0x8e: /* mov r/m,Sreg */ {
+ show +
923
924
925
926
927
928
929
enum x86_segment seg = decode_segment(modrm_reg); generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) goto done; if ( seg == x86_seg_ss ) ctxt->retire.flags.mov_ss = 1;
+ show +
930
931
932
933
934
935
936
937
938
939
dst.type = OP_NONE; break; } case 0x8d: /* lea */ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); dst.val = ea.mem.off; break; case 0x8f: /* pop (sole member of Grp1a) */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
912
913
914
915
916
917
918
919
920
921
fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 ) goto done; dst.val = reg.sel; if ( dst.type == OP_MEM ) dst.bytes = 2; break; } case 0x8e: /* mov r/m,Sreg */ {
+ show +
922
923
924
925
926
927
928
enum x86_segment seg = decode_segment(modrm_reg); generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) goto done; if ( seg == x86_seg_ss ) ctxt->retire.flags.mov_ss = 1;
+ show +
929
930
931
932
933
934
935
936
937
938
dst.type = OP_NONE; break; } case 0x8d: /* lea */ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); dst.val = ea.mem.off; break; case 0x8f: /* pop (sole member of Grp1a) */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
912
913
914
915
916
917
918
919
920
921
fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 ) goto done; dst.val = reg.sel; if ( dst.type == OP_MEM ) dst.bytes = 2; break; } case 0x8e: /* mov r/m,Sreg */ {
+ show +
922
923
924
925
926
927
928
enum x86_segment seg = decode_segment(modrm_reg); generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) goto done; if ( seg == x86_seg_ss ) ctxt->retire.flags.mov_ss = 1;
+ show +
929
930
931
932
933
934
935
936
937
938
dst.type = OP_NONE; break; } case 0x8d: /* lea */ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); dst.val = ea.mem.off; break; case 0x8f: /* pop (sole member of Grp1a) */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
893
894
895
896
897
898
899
900
901
902
fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 ) goto done; dst.val = reg.sel; if ( dst.type == OP_MEM ) dst.bytes = 2; break; } case 0x8e: /* mov r/m,Sreg */ {
+ show +
903
904
905
906
907
908
909
enum x86_segment seg = decode_segment(modrm_reg); generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) goto done; if ( seg == x86_seg_ss ) ctxt->retire.flags.mov_ss = 1;
+ show +
910
911
912
913
914
915
916
917
918
919
dst.type = OP_NONE; break; } case 0x8d: /* lea */ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); dst.val = ea.mem.off; break; case 0x8f: /* pop (sole member of Grp1a) */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
896
897
898
899
900
901
902
903
904
905
fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 ) goto done; dst.val = reg.sel; if ( dst.type == OP_MEM ) dst.bytes = 2; break; } case 0x8e: /* mov r/m,Sreg */ {
+ show +
906
907
908
909
910
911
912
enum x86_segment seg = decode_segment(modrm_reg); generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) goto done; if ( seg == x86_seg_ss ) ctxt->retire.flags.mov_ss = 1;
+ show +
913
914
915
916
917
918
919
920
921
922
dst.type = OP_NONE; break; } case 0x8d: /* lea */ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); dst.val = ea.mem.off; break; case 0x8f: /* pop (sole member of Grp1a) */
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
913
914
915
916
917
918
919
920
921
922
fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 ) goto done; dst.val = reg.sel; if ( dst.type == OP_MEM ) dst.bytes = 2; break; } case 0x8e: /* mov r/m,Sreg */ {
+ show +
923
924
925
926
927
928
929
enum x86_segment seg = decode_segment(modrm_reg); generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) goto done; if ( seg == x86_seg_ss ) ctxt->retire.flags.mov_ss = 1;
+ show +
930
931
932
933
934
935
936
937
938
939
dst.type = OP_NONE; break; } case 0x8d: /* lea */ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); dst.val = ea.mem.off; break; case 0x8f: /* pop (sole member of Grp1a) */

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #3
&_regs.eip, op_bytes, ctxt)) ) goto done; - if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) + if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
993
994
995
996
997
998
999
1000
1001
1002
generate_exception_if(mode_64bit(), EXC_UD, -1); fail_if(ops->read_segment == NULL); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
+ show +
1003
1004
1005
1006
1007
1008
1009
&_regs.eip, op_bytes, ctxt)) ) goto done; if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
} case 0x9b: /* wait/fwait */ emulate_fpu_insn("fwait"); break; case 0x9c: /* pushf */ src.val = _regs.eflags; goto push;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
994
995
996
997
998
999
1000
1001
1002
1003
generate_exception_if(mode_64bit(), EXC_UD, -1); fail_if(ops->read_segment == NULL); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
+ show +
1004
1005
1006
1007
1008
1009
1010
&_regs.eip, op_bytes, ctxt)) ) goto done; if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
} case 0x9b: /* wait/fwait */ emulate_fpu_insn("fwait"); break; case 0x9c: /* pushf */ src.val = _regs.eflags; goto push;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
993
994
995
996
997
998
999
1000
1001
1002
generate_exception_if(mode_64bit(), EXC_UD, -1); fail_if(ops->read_segment == NULL); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
+ show +
1003
1004
1005
1006
1007
1008
1009
&_regs.eip, op_bytes, ctxt)) ) goto done; if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
} case 0x9b: /* wait/fwait */ emulate_fpu_insn("fwait"); break; case 0x9c: /* pushf */ src.val = _regs.eflags; goto push;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
993
994
995
996
997
998
999
1000
1001
1002
generate_exception_if(mode_64bit(), EXC_UD, -1); fail_if(ops->read_segment == NULL); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
+ show +
1003
1004
1005
1006
1007
1008
1009
&_regs.eip, op_bytes, ctxt)) ) goto done; if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
} case 0x9b: /* wait/fwait */ emulate_fpu_insn("fwait"); break; case 0x9c: /* pushf */ src.val = _regs.eflags; goto push;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
974
975
976
977
978
979
980
981
982
983
generate_exception_if(mode_64bit(), EXC_UD, -1); fail_if(ops->read_segment == NULL); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
+ show +
984
985
986
987
988
989
990
&_regs.eip, op_bytes, ctxt)) ) goto done; if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
991
992
993
994
995
996
997
998
999
1000
} case 0x9b: /* wait/fwait */ emulate_fpu_insn("fwait"); break; case 0x9c: /* pushf */ src.val = _regs.eflags; goto push;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
977
978
979
980
981
982
983
984
985
986
generate_exception_if(mode_64bit(), EXC_UD, -1); fail_if(ops->read_segment == NULL); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
+ show +
987
988
989
990
991
992
993
&_regs.eip, op_bytes, ctxt)) ) goto done; if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
994
995
996
997
998
999
1000
1001
1002
1003
} case 0x9b: /* wait/fwait */ emulate_fpu_insn("fwait"); break; case 0x9c: /* pushf */ src.val = _regs.eflags; goto push;
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
994
995
996
997
998
999
1000
1001
1002
1003
generate_exception_if(mode_64bit(), EXC_UD, -1); fail_if(ops->read_segment == NULL); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
+ show +
1004
1005
1006
1007
1008
1009
1010
&_regs.eip, op_bytes, ctxt)) ) goto done; if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
} case 0x9b: /* wait/fwait */ emulate_fpu_insn("fwait"); break; case 0x9c: /* pushf */ src.val = _regs.eflags; goto push;

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #4
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, &sel, 2, ctxt, ops)) != 0 ) goto done; - if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) + if ( (rc = load_seg(dst.val, sel, 0, ctxt, ops)) != 0 ) goto done; dst.val = src.val; break;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
_regs.eip = dst.val; break; } case 0xc4: /* les */ { unsigned long sel; dst.val = x86_seg_es; les: /* dst.val identifies the segment */ generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); generate_exception_if(src.type != OP_MEM, EXC_UD, -1);
+ show +
1227
1228
1229
1230
1231
1232
1233
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, &sel, 2, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) goto done; dst.val = src.val; break;
+ show +
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
} case 0xc5: /* lds */ dst.val = x86_seg_ds; goto les; case 0xc8: /* enter imm16,imm8 */ { uint16_t size = insn_fetch_type(uint16_t); uint8_t depth = insn_fetch_type(uint8_t) & 31; int i;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
_regs.eip = dst.val; break; } case 0xc4: /* les */ { unsigned long sel; dst.val = x86_seg_es; les: /* dst.val identifies the segment */ generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); generate_exception_if(src.type != OP_MEM, EXC_UD, -1);
+ show +
1228
1229
1230
1231
1232
1233
1234
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, &sel, 2, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) goto done; dst.val = src.val; break;
+ show +
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
} case 0xc5: /* lds */ dst.val = x86_seg_ds; goto les; case 0xc8: /* enter imm16,imm8 */ { uint16_t size = insn_fetch_type(uint16_t); uint8_t depth = insn_fetch_type(uint8_t) & 31; int i;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
_regs.eip = dst.val; break; } case 0xc4: /* les */ { unsigned long sel; dst.val = x86_seg_es; les: /* dst.val identifies the segment */ generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); generate_exception_if(src.type != OP_MEM, EXC_UD, -1);
+ show +
1227
1228
1229
1230
1231
1232
1233
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, &sel, 2, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) goto done; dst.val = src.val; break;
+ show +
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
} case 0xc5: /* lds */ dst.val = x86_seg_ds; goto les; case 0xc8: /* enter imm16,imm8 */ { uint16_t size = insn_fetch_type(uint16_t); uint8_t depth = insn_fetch_type(uint8_t) & 31; int i;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
_regs.eip = dst.val; break; } case 0xc4: /* les */ { unsigned long sel; dst.val = x86_seg_es; les: /* dst.val identifies the segment */ generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); generate_exception_if(src.type != OP_MEM, EXC_UD, -1);
+ show +
1227
1228
1229
1230
1231
1232
1233
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, &sel, 2, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) goto done; dst.val = src.val; break;
+ show +
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
} case 0xc5: /* lds */ dst.val = x86_seg_ds; goto les; case 0xc8: /* enter imm16,imm8 */ { uint16_t size = insn_fetch_type(uint16_t); uint8_t depth = insn_fetch_type(uint8_t) & 31; int i;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
_regs.eip = dst.val; break; } case 0xc4: /* les */ { unsigned long sel; dst.val = x86_seg_es; les: /* dst.val identifies the segment */ generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); generate_exception_if(src.type != OP_MEM, EXC_UD, -1);
+ show +
1207
1208
1209
1210
1211
1212
1213
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, &sel, 2, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) goto done; dst.val = src.val; break;
+ show +
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
} case 0xc5: /* lds */ dst.val = x86_seg_ds; goto les; case 0xc8: /* enter imm16,imm8 */ { uint16_t size = insn_fetch_type(uint16_t); uint8_t depth = insn_fetch_type(uint8_t) & 31; int i;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
_regs.eip = dst.val; break; } case 0xc4: /* les */ { unsigned long sel; dst.val = x86_seg_es; les: /* dst.val identifies the segment */ generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); generate_exception_if(src.type != OP_MEM, EXC_UD, -1);
+ show +
1210
1211
1212
1213
1214
1215
1216
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, &sel, 2, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) goto done; dst.val = src.val; break;
+ show +
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
} case 0xc5: /* lds */ dst.val = x86_seg_ds; goto les; case 0xc8: /* enter imm16,imm8 */ { uint16_t size = insn_fetch_type(uint16_t); uint8_t depth = insn_fetch_type(uint8_t) & 31; int i;
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
_regs.eip = dst.val; break; } case 0xc4: /* les */ { unsigned long sel; dst.val = x86_seg_es; les: /* dst.val identifies the segment */ generate_exception_if(mode_64bit() && !twobyte, EXC_UD, -1); generate_exception_if(src.type != OP_MEM, EXC_UD, -1);
+ show +
1228
1229
1230
1231
1232
1233
1234
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, &sel, 2, ctxt, ops)) != 0 ) goto done; if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) goto done; dst.val = src.val; break;
+ show +
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
} case 0xc5: /* lds */ dst.val = x86_seg_ds; goto les; case 0xc8: /* enter imm16,imm8 */ { uint16_t size = insn_fetch_type(uint16_t); uint8_t depth = insn_fetch_type(uint8_t) & 31; int i;

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #5
&dst.val, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), &src.val, op_bytes, ctxt, ops)) || - (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) + (rc = load_seg(x86_seg_cs, src.val, 1, ctxt, ops)) ) goto done; _regs.eip = dst.val; break;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
dst.reg = (unsigned long *)&_regs.ebp; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(dst.bytes), &dst.val, dst.bytes, ctxt, ops)) ) goto done; break; case 0xca: /* ret imm16 (far) */ case 0xcb: /* ret (far) */ { int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
+ show +
1301
1302
1303
1304
1305
1306
1307
&dst.val, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), &src.val, op_bytes, ctxt, ops)) || (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) goto done; _regs.eip = dst.val; break;
+ show +
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
} case 0xcc: /* int3 */ src.val = EXC_BP; goto swint; case 0xcd: /* int imm8 */ src.val = insn_fetch_type(uint8_t); swint: fail_if(ops->inject_sw_interrupt == NULL);
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
dst.reg = (unsigned long *)&_regs.ebp; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(dst.bytes), &dst.val, dst.bytes, ctxt, ops)) ) goto done; break; case 0xca: /* ret imm16 (far) */ case 0xcb: /* ret (far) */ { int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
+ show +
1302
1303
1304
1305
1306
1307
1308
&dst.val, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), &src.val, op_bytes, ctxt, ops)) || (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) goto done; _regs.eip = dst.val; break;
+ show +
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
} case 0xcc: /* int3 */ src.val = EXC_BP; swint_type = x86_swint_int3; goto swint; case 0xcd: /* int imm8 */ src.val = insn_fetch_type(uint8_t); swint_type = x86_swint_int;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
dst.reg = (unsigned long *)&_regs.ebp; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(dst.bytes), &dst.val, dst.bytes, ctxt, ops)) ) goto done; break; case 0xca: /* ret imm16 (far) */ case 0xcb: /* ret (far) */ { int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
+ show +
1301
1302
1303
1304
1305
1306
1307
&dst.val, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), &src.val, op_bytes, ctxt, ops)) || (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) goto done; _regs.eip = dst.val; break;
+ show +
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
} case 0xcc: /* int3 */ src.val = EXC_BP; goto swint; case 0xcd: /* int imm8 */ src.val = insn_fetch_type(uint8_t); swint: fail_if(ops->inject_sw_interrupt == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
dst.reg = (unsigned long *)&_regs.ebp; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(dst.bytes), &dst.val, dst.bytes, ctxt, ops)) ) goto done; break; case 0xca: /* ret imm16 (far) */ case 0xcb: /* ret (far) */ { int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
+ show +
1301
1302
1303
1304
1305
1306
1307
&dst.val, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), &src.val, op_bytes, ctxt, ops)) || (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) goto done; _regs.eip = dst.val; break;
+ show +
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
} case 0xcc: /* int3 */ src.val = EXC_BP; goto swint; case 0xcd: /* int imm8 */ src.val = insn_fetch_type(uint8_t); swint: fail_if(ops->inject_sw_interrupt == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
dst.reg = (unsigned long *)&_regs.ebp; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(dst.bytes), &dst.val, dst.bytes, ctxt, ops)) ) goto done; break; case 0xca: /* ret imm16 (far) */ case 0xcb: /* ret (far) */ { int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
+ show +
1281
1282
1283
1284
1285
1286
1287
&dst.val, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), &src.val, op_bytes, ctxt, ops)) || (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) goto done; _regs.eip = dst.val; break;
+ show +
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
} case 0xcc: /* int3 */ src.val = EXC_BP; goto swint; case 0xcd: /* int imm8 */ src.val = insn_fetch_type(uint8_t); swint: fail_if(ops->inject_sw_interrupt == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
dst.reg = (unsigned long *)&_regs.ebp; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(dst.bytes), &dst.val, dst.bytes, ctxt, ops)) ) goto done; break; case 0xca: /* ret imm16 (far) */ case 0xcb: /* ret (far) */ { int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
+ show +
1284
1285
1286
1287
1288
1289
1290
&dst.val, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), &src.val, op_bytes, ctxt, ops)) || (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) goto done; _regs.eip = dst.val; break;
+ show +
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
} case 0xcc: /* int3 */ src.val = EXC_BP; goto swint; case 0xcd: /* int imm8 */ src.val = insn_fetch_type(uint8_t); swint: fail_if(ops->inject_sw_interrupt == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
dst.reg = (unsigned long *)&_regs.ebp; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(dst.bytes), &dst.val, dst.bytes, ctxt, ops)) ) goto done; break; case 0xca: /* ret imm16 (far) */ case 0xcb: /* ret (far) */ { int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0; if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
+ show +
1302
1303
1304
1305
1306
1307
1308
&dst.val, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), &src.val, op_bytes, ctxt, ops)) || (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) goto done; _regs.eip = dst.val; break;
+ show +
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
} case 0xcc: /* int3 */ src.val = EXC_BP; swint_type = x86_swint_int3; goto swint; case 0xcd: /* int imm8 */ src.val = insn_fetch_type(uint8_t); swint_type = x86_swint_int;

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #6
_regs.eflags &= mask; _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; _regs.eip = eip; - if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) + if ( (rc = load_seg(x86_seg_cs, cs, 1, ctxt, ops)) != 0 ) goto done; break; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eip, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &cs, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eflags, op_bytes, ctxt, ops)) ) goto done; if ( op_bytes == 2 ) eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u); eflags &= 0x257fd5;
+ show +
1347
1348
1349
1350
1351
1352
1353
_regs.eflags &= mask; _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; _regs.eip = eip; if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) goto done; break; }
+ show +
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
case 0xd0 ... 0xd1: /* Grp2 */ src.val = 1; goto grp2; case 0xd2 ... 0xd3: /* Grp2 */ src.val = _regs.ecx; goto grp2; case 0xd4: /* aam */ {
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eip, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &cs, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eflags, op_bytes, ctxt, ops)) ) goto done; if ( op_bytes == 2 ) eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u); eflags &= 0x257fd5;
+ show +
1351
1352
1353
1354
1355
1356
1357
_regs.eflags &= mask; _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; _regs.eip = eip; if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) goto done; break; }
+ show +
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
case 0xd0 ... 0xd1: /* Grp2 */ src.val = 1; goto grp2; case 0xd2 ... 0xd3: /* Grp2 */ src.val = _regs.ecx; goto grp2; case 0xd4: /* aam */ {
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eip, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &cs, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eflags, op_bytes, ctxt, ops)) ) goto done; if ( op_bytes == 2 ) eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u); eflags &= 0x257fd5;
+ show +
1347
1348
1349
1350
1351
1352
1353
_regs.eflags &= mask; _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; _regs.eip = eip; if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) goto done; break; }
+ show +
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
case 0xd0 ... 0xd1: /* Grp2 */ src.val = 1; goto grp2; case 0xd2 ... 0xd3: /* Grp2 */ src.val = _regs.ecx; goto grp2; case 0xd4: /* aam */ {
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eip, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &cs, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eflags, op_bytes, ctxt, ops)) ) goto done; if ( op_bytes == 2 ) eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u); eflags &= 0x257fd5;
+ show +
1347
1348
1349
1350
1351
1352
1353
_regs.eflags &= mask; _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; _regs.eip = eip; if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) goto done; break; }
+ show +
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
case 0xd0 ... 0xd1: /* Grp2 */ src.val = 1; goto grp2; case 0xd2 ... 0xd3: /* Grp2 */ src.val = _regs.ecx; goto grp2; case 0xd4: /* aam */ {
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eip, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &cs, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eflags, op_bytes, ctxt, ops)) ) goto done; if ( op_bytes == 2 ) eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u); eflags &= 0x257fd5;
+ show +
1327
1328
1329
1330
1331
1332
1333
_regs.eflags &= mask; _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; _regs.eip = eip; if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) goto done; break; }
+ show +
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
case 0xd0 ... 0xd1: /* Grp2 */ src.val = 1; goto grp2; case 0xd2 ... 0xd3: /* Grp2 */ src.val = _regs.ecx; goto grp2; case 0xd4: /* aam */ {
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eip, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &cs, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eflags, op_bytes, ctxt, ops)) ) goto done; if ( op_bytes == 2 ) eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u); eflags &= 0x257fd5;
+ show +
1330
1331
1332
1333
1334
1335
1336
_regs.eflags &= mask; _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; _regs.eip = eip; if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) goto done; break; }
+ show +
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
case 0xd0 ... 0xd1: /* Grp2 */ src.val = 1; goto grp2; case 0xd2 ... 0xd3: /* Grp2 */ src.val = _regs.ecx; goto grp2; case 0xd4: /* aam */ {
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eip, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &cs, op_bytes, ctxt, ops)) || (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), &eflags, op_bytes, ctxt, ops)) ) goto done; if ( op_bytes == 2 ) eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u); eflags &= 0x257fd5;
+ show +
1353
1354
1355
1356
1357
1358
1359
_regs.eflags &= mask; _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; _regs.eip = eip; if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) goto done; break; }
+ show +
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
case 0xd0 ... 0xd1: /* Grp2 */ src.val = 1; goto grp2; case 0xd2 ... 0xd3: /* Grp2 */ src.val = _regs.ecx; goto grp2; case 0xd4: /* aam */ {

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #7
generate_exception_if(mode_64bit(), EXC_UD, -1); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); - if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) + if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
int rel = ((op_bytes == 2) ? (int32_t)insn_fetch_type(int16_t) : insn_fetch_type(int32_t)); jmp_rel(rel); break; } case 0xea: /* jmp (far, absolute) */ { uint16_t sel; uint32_t eip;
+ show +
1977
1978
1979
1980
1981
1982
1983
generate_exception_if(mode_64bit(), EXC_UD, -1); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
} case 0xeb: /* jmp (short) */ { int rel = insn_fetch_type(int8_t); jmp_rel(rel); break; } case 0xf1: /* int1 (icebp) */ src.val = EXC_DB;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
int rel = ((op_bytes == 2) ? (int32_t)insn_fetch_type(int16_t) : insn_fetch_type(int32_t)); jmp_rel(rel); break; } case 0xea: /* jmp (far, absolute) */ { uint16_t sel; uint32_t eip;
+ show +
1981
1982
1983
1984
1985
1986
1987
generate_exception_if(mode_64bit(), EXC_UD, -1); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
} case 0xeb: /* jmp (short) */ { int rel = insn_fetch_type(int8_t); jmp_rel(rel); break; } case 0xf1: /* int1 (icebp) */ src.val = EXC_DB;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
int rel = ((op_bytes == 2) ? (int32_t)insn_fetch_type(int16_t) : insn_fetch_type(int32_t)); jmp_rel(rel); break; } case 0xea: /* jmp (far, absolute) */ { uint16_t sel; uint32_t eip;
+ show +
1977
1978
1979
1980
1981
1982
1983
generate_exception_if(mode_64bit(), EXC_UD, -1); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
} case 0xeb: /* jmp (short) */ { int rel = insn_fetch_type(int8_t); jmp_rel(rel); break; } case 0xf1: /* int1 (icebp) */ src.val = EXC_DB;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
int rel = ((op_bytes == 2) ? (int32_t)insn_fetch_type(int16_t) : insn_fetch_type(int32_t)); jmp_rel(rel); break; } case 0xea: /* jmp (far, absolute) */ { uint16_t sel; uint32_t eip;
+ show +
1977
1978
1979
1980
1981
1982
1983
generate_exception_if(mode_64bit(), EXC_UD, -1); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
} case 0xeb: /* jmp (short) */ { int rel = insn_fetch_type(int8_t); jmp_rel(rel); break; } case 0xf1: /* int1 (icebp) */ src.val = EXC_DB;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
int rel = ((op_bytes == 2) ? (int32_t)insn_fetch_type(int16_t) : insn_fetch_type(int32_t)); jmp_rel(rel); break; } case 0xea: /* jmp (far, absolute) */ { uint16_t sel; uint32_t eip;
+ show +
1957
1958
1959
1960
1961
1962
1963
generate_exception_if(mode_64bit(), EXC_UD, -1); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
} case 0xeb: /* jmp (short) */ { int rel = insn_fetch_type(int8_t); jmp_rel(rel); break; } case 0xf1: /* int1 (icebp) */ src.val = EXC_DB;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
int rel = ((op_bytes == 2) ? (int32_t)insn_fetch_type(int16_t) : insn_fetch_type(int32_t)); jmp_rel(rel); break; } case 0xea: /* jmp (far, absolute) */ { uint16_t sel; uint32_t eip;
+ show +
1960
1961
1962
1963
1964
1965
1966
generate_exception_if(mode_64bit(), EXC_UD, -1); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
} case 0xeb: /* jmp (short) */ { int rel = insn_fetch_type(int8_t); jmp_rel(rel); break; } case 0xf1: /* int1 (icebp) */ src.val = EXC_DB;
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
int rel = ((op_bytes == 2) ? (int32_t)insn_fetch_type(int16_t) : insn_fetch_type(int32_t)); jmp_rel(rel); break; } case 0xea: /* jmp (far, absolute) */ { uint16_t sel; uint32_t eip;
+ show +
1983
1984
1985
1986
1987
1988
1989
generate_exception_if(mode_64bit(), EXC_UD, -1); eip = insn_fetch_bytes(op_bytes); sel = insn_fetch_type(uint16_t); if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = eip; break;
+ show +
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
} case 0xeb: /* jmp (short) */ { int rel = insn_fetch_type(int8_t); jmp_rel(rel); break; } case 0xf1: /* int1 (icebp) */ src.val = EXC_DB;

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #9
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, - src.val, ctxt, ops)) != 0 ) + src.val, 0, ctxt, ops)) != 0 ) goto done; break;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
*ctxt->regs = _regs; done: return rc; twobyte_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2);
+ show +
2342
2343
2344
2345
2346
2347
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, src.val, ctxt, ops)) != 0 ) goto done; break;
+ show +
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
case 0x01: /* Grp7 */ { struct segment_register reg; unsigned long base, limit, cr0, cr0w; if ( modrm == 0xdf ) /* invlpga */ { generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); fail_if(ops->invlpg == NULL);
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
*ctxt->regs = _regs; done: return rc; twobyte_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2);
+ show +
2347
2348
2349
2350
2351
2352
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, src.val, ctxt, ops)) != 0 ) goto done; break;
+ show +
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
case 0x01: /* Grp7 */ { struct segment_register reg; unsigned long base, limit, cr0, cr0w; if ( modrm == 0xdf ) /* invlpga */ { generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); fail_if(ops->invlpg == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
*ctxt->regs = _regs; done: return rc; twobyte_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2);
+ show +
2341
2342
2343
2344
2345
2346
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, src.val, ctxt, ops)) != 0 ) goto done; break;
+ show +
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
case 0x01: /* Grp7 */ { struct segment_register reg; unsigned long base, limit, cr0, cr0w; if ( modrm == 0xdf ) /* invlpga */ { generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); fail_if(ops->invlpg == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
*ctxt->regs = _regs; done: return rc; twobyte_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2);
+ show +
2341
2342
2343
2344
2345
2346
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, src.val, ctxt, ops)) != 0 ) goto done; break;
+ show +
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
case 0x01: /* Grp7 */ { struct segment_register reg; unsigned long base, limit, cr0, cr0w; if ( modrm == 0xdf ) /* invlpga */ { generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); fail_if(ops->invlpg == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
*ctxt->regs = _regs; done: return rc; twobyte_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2);
+ show +
2350
2351
2352
2353
2354
2355
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, src.val, ctxt, ops)) != 0 ) goto done; break;
+ show +
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
case 0x01: /* Grp7 */ { struct segment_register reg; unsigned long base, limit, cr0, cr0w; if ( modrm == 0xdf ) /* invlpga */ { generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); fail_if(ops->invlpg == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
*ctxt->regs = _regs; done: return rc; twobyte_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2);
+ show +
2353
2354
2355
2356
2357
2358
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, src.val, ctxt, ops)) != 0 ) goto done; break;
+ show +
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
case 0x01: /* Grp7 */ { struct segment_register reg; unsigned long base, limit, cr0, cr0w; if ( modrm == 0xdf ) /* invlpga */ { generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); fail_if(ops->invlpg == NULL);
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
*ctxt->regs = _regs; done: return rc; twobyte_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2);
+ show +
2349
2350
2351
2352
2353
2354
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, src.val, ctxt, ops)) != 0 ) goto done; break;
+ show +
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
case 0x01: /* Grp7 */ { struct segment_register reg; unsigned long base, limit, cr0, cr0w; if ( modrm == 0xdf ) /* invlpga */ { generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); generate_exception_if(!mode_ring0(), EXC_GP, 0); fail_if(ops->invlpg == NULL);

[xen_CVE-2015-2151_1425991551_x86_emulate.diff] x86_emulate_OLD.c #1
} } - if ( override_seg != -1 ) + if ( override_seg != -1 && ea.type == OP_MEM ) ea.mem.seg = override_seg; /* Early operand adjustments. */
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
297
298
299
300
301
302
303
304
305
306
ea.mem.off++; break; case 1: ea.mem.off += insn_fetch_type(int8_t); break; case 2: ea.mem.off += insn_fetch_type(int32_t); break; } ea.mem.off = truncate_ea(ea.mem.off);
+ show +
307
308
309
310
311
312
313
} } if ( override_seg != -1 ) ea.mem.seg = override_seg; /* Early operand adjustments. */
+ show +
314
315
316
317
318
319
320
321
322
323
if ( !twobyte ) switch ( b ) { case 0xf6 ... 0xf7: /* Grp3 */ switch ( modrm_reg & 7 ) { case 0 ... 1: /* test */ d = (d & ~SrcMask) | SrcImm; break; case 4: /* mul */
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
298
299
300
301
302
303
304
305
306
307
ea.mem.off++; break; case 1: ea.mem.off += insn_fetch_type(int8_t); break; case 2: ea.mem.off += insn_fetch_type(int32_t); break; } ea.mem.off = truncate_ea(ea.mem.off);
+ show +
308
309
310
311
312
313
314
} } if ( override_seg != -1 ) ea.mem.seg = override_seg; /* Early operand adjustments. */
+ show +
315
316
317
318
319
320
321
322
323
324
if ( !twobyte ) switch ( b ) { case 0xf6 ... 0xf7: /* Grp3 */ switch ( modrm_reg & 7 ) { case 0 ... 1: /* test */ d = (d & ~SrcMask) | SrcImm; break; case 4: /* mul */
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_before_1mo_1421073672_x86_emulate.c
298
299
300
301
302
303
304
305
306
307
ea.mem.off++; break; case 1: ea.mem.off += insn_fetch_type(int8_t); break; case 2: ea.mem.off += insn_fetch_type(int32_t); break; } ea.mem.off = truncate_ea(ea.mem.off);
+ show +
308
309
310
311
312
313
314
} } if ( override_seg != -1 ) ea.mem.seg = override_seg; /* Early operand adjustments. */
+ show +
315
316
317
318
319
320
321
322
323
324
if ( !twobyte ) switch ( b ) { case 0xf6 ... 0xf7: /* Grp3 */ switch ( modrm_reg & 7 ) { case 0 ... 1: /* test */ d = (d & ~SrcMask) | SrcImm; break; case 4: /* mul */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
297
298
299
300
301
302
303
304
305
306
ea.mem.off++; break; case 1: ea.mem.off += insn_fetch_type(int8_t); break; case 2: ea.mem.off += insn_fetch_type(int32_t); break; } ea.mem.off = truncate_ea(ea.mem.off);
+ show +
307
308
309
310
311
312
313
} } if ( override_seg != -1 ) ea.mem.seg = override_seg; /* Early operand adjustments. */
+ show +
314
315
316
317
318
319
320
321
322
323
if ( !twobyte ) switch ( b ) { case 0xf6 ... 0xf7: /* Grp3 */ switch ( modrm_reg & 7 ) { case 0 ... 1: /* test */ d = (d & ~SrcMask) | SrcImm; break; case 4: /* mul */
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
297
298
299
300
301
302
303
304
305
306
ea.mem.off++; break; case 1: ea.mem.off += insn_fetch_type(int8_t); break; case 2: ea.mem.off += insn_fetch_type(int32_t); break; } ea.mem.off = truncate_ea(ea.mem.off);
+ show +
307
308
309
310
311
312
313
} } if ( override_seg != -1 ) ea.mem.seg = override_seg; /* Early operand adjustments. */
+ show +
314
315
316
317
318
319
320
321
322
323
if ( !twobyte ) switch ( b ) { case 0xf6 ... 0xf7: /* Grp3 */ switch ( modrm_reg & 7 ) { case 0 ... 1: /* test */ d = (d & ~SrcMask) | SrcImm; break; case 4: /* mul */
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_imd_1421073606_x86_emulate.c
298
299
300
301
302
303
304
305
306
307
ea.mem.off++; break; case 1: ea.mem.off += insn_fetch_type(int8_t); break; case 2: ea.mem.off += insn_fetch_type(int32_t); break; } ea.mem.off = truncate_ea(ea.mem.off);
+ show +
308
309
310
311
312
313
314
} } if ( override_seg != -1 ) ea.mem.seg = override_seg; /* Early operand adjustments. */
+ show +
315
316
317
318
319
320
321
322
323
324
if ( !twobyte ) switch ( b ) { case 0xf6 ... 0xf7: /* Grp3 */ switch ( modrm_reg & 7 ) { case 0 ... 1: /* test */ d = (d & ~SrcMask) | SrcImm; break; case 4: /* mul */
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
298
299
300
301
302
303
304
305
306
307
ea.mem.off++; break; case 1: ea.mem.off += insn_fetch_type(int8_t); break; case 2: ea.mem.off += insn_fetch_type(int32_t); break; } ea.mem.off = truncate_ea(ea.mem.off);
+ show +
308
309
310
311
312
313
314
} } if ( override_seg != -1 ) ea.mem.seg = override_seg; /* Early operand adjustments. */
+ show +
315
316
317
318
319
320
321
322
323
324
if ( !twobyte ) switch ( b ) { case 0xf6 ... 0xf7: /* Grp3 */ switch ( modrm_reg & 7 ) { case 0 ... 1: /* test */ d = (d & ~SrcMask) | SrcImm; break; case 4: /* mul */

[xen_CVE-2016-9383_1479818946_x86_emulate.diff] x86_emulate_OLD.c #1
else { /* + * Instructions such as bt can reference an arbitrary offset from + * their memory operand, but the instruction doing the actual + * emulation needs the appropriate op_bytes read from memory. + * Adjust both the source register and memory operand to make an + * equivalent instruction. + * * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
444
445
446
447
448
449
450
451
452
453
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
454
455
456
457
458
459
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
460
461
462
463
464
465
466
467
468
469
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
455
456
457
458
459
460
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_after_imd_1426079282_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
455
456
457
458
459
460
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_before_1mo_1421073672_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
455
456
457
458
459
460
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2016-7093_before_imd_1472818823_x86_emulate.c
481
482
483
484
485
486
487
488
489
490
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
491
492
493
494
495
496
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
497
498
499
500
501
502
503
504
505
506
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2016-9383_before_imd_1479818690_x86_emulate.c
132
133
134
135
136
137
138
139
140
141
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
142
143
144
145
146
147
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
148
149
150
151
152
153
154
155
156
157
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-2\CVE-2016-7093_after_1mo_1474903296_x86_emulate.c
477
478
479
480
481
482
483
484
485
486
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
487
488
489
490
491
492
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
493
494
495
496
497
498
499
500
501
502
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
444
445
446
447
448
449
450
451
452
453
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
454
455
456
457
458
459
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
460
461
462
463
464
465
466
467
468
469
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
444
445
446
447
448
449
450
451
452
453
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
454
455
456
457
458
459
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
460
461
462
463
464
465
466
467
468
469
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
409
410
411
412
413
414
415
416
417
418
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
419
420
421
422
423
424
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
425
426
427
428
429
430
431
432
433
434
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
412
413
414
415
416
417
418
419
420
421
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
422
423
424
425
426
427
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
428
429
430
431
432
433
434
435
436
437
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_6mo_1431943891_x86_emulate.c
446
447
448
449
450
451
452
453
454
455
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
456
457
458
459
460
461
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
462
463
464
465
466
467
468
469
470
471
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_imd_1421073606_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
455
456
457
458
459
460
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
455
456
457
458
459
460
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2015-2151_after_1mo_1430733341_x86_emulate.c
446
447
448
449
450
451
452
453
454
455
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
456
457
458
459
460
461
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
462
463
464
465
466
467
468
469
470
471
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2015-2151_after_6mo_1450703102_x86_emulate.c
447
448
449
450
451
452
453
454
455
456
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
457
458
459
460
461
462
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
463
464
465
466
467
468
469
470
471
472
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_1mo_1463652393_x86_emulate.c
451
452
453
454
455
456
457
458
459
460
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
461
462
463
464
465
466
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
467
468
469
470
471
472
473
474
475
476
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_6mo_1452763955_x86_emulate.c
447
448
449
450
451
452
453
454
455
456
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
457
458
459
460
461
462
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
463
464
465
466
467
468
469
470
471
472
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2016-9383_before_1mo_1476446956_x86_emulate.c
132
133
134
135
136
137
138
139
140
141
case 4: dst.val = *(uint32_t *)dst.reg; break; case 8: dst.val = *(uint64_t *)dst.reg; break; } } break; case DstBitBase: if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) ) { src.val &= (op_bytes << 3) - 1; }
+ show +
142
143
144
145
146
147
else { /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity.
+ show +
148
149
150
151
152
153
154
155
156
157
* MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 ) src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));

[xen_CVE-2016-9383_1479818946_x86_emulate.diff] x86_emulate_OLD.c #2
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { - unsigned long byte_offset; - byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); + unsigned long byte_offset = + op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L)); + ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { - ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); + ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L); src.val &= (op_bytes << 3) - 1; } }
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
455
456
457
458
459
460
461
462
463
464
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
465
466
467
468
469
470
471
472
473
474
475
476
477
478
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
479
480
481
482
483
484
485
486
487
488
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_after_imd_1426079282_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_before_1mo_1421073672_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-7093_before_imd_1472818823_x86_emulate.c
492
493
494
495
496
497
498
499
500
501
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
502
503
504
505
506
507
508
509
510
511
512
513
514
515
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
516
517
518
519
520
521
522
523
524
525
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-9383_before_imd_1479818690_x86_emulate.c
143
144
145
146
147
148
149
150
151
152
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
153
154
155
156
157
158
159
160
161
162
163
164
165
166
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
167
168
169
170
171
172
173
174
175
176
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-2\CVE-2016-7093_after_1mo_1474903296_x86_emulate.c
488
489
490
491
492
493
494
495
496
497
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
498
499
500
501
502
503
504
505
506
507
508
509
510
511
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
512
513
514
515
516
517
518
519
520
521
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
455
456
457
458
459
460
461
462
463
464
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
465
466
467
468
469
470
471
472
473
474
475
476
477
478
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
479
480
481
482
483
484
485
486
487
488
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
455
456
457
458
459
460
461
462
463
464
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
465
466
467
468
469
470
471
472
473
474
475
476
477
478
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
479
480
481
482
483
484
485
486
487
488
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
420
421
422
423
424
425
426
427
428
429
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
430
431
432
433
434
435
436
437
438
439
440
441
442
443
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
444
445
446
447
448
449
450
451
452
453
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
423
424
425
426
427
428
429
430
431
432
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
433
434
435
436
437
438
439
440
441
442
443
444
445
446
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
447
448
449
450
451
452
453
454
455
456
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_6mo_1431943891_x86_emulate.c
457
458
459
460
461
462
463
464
465
466
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
467
468
469
470
471
472
473
474
475
476
477
478
479
480
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
481
482
483
484
485
486
487
488
489
490
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_imd_1421073606_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2015-2151_after_1mo_1430733341_x86_emulate.c
457
458
459
460
461
462
463
464
465
466
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
467
468
469
470
471
472
473
474
475
476
477
478
479
480
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
481
482
483
484
485
486
487
488
489
490
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2015-2151_after_6mo_1450703102_x86_emulate.c
458
459
460
461
462
463
464
465
466
467
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
468
469
470
471
472
473
474
475
476
477
478
479
480
481
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
482
483
484
485
486
487
488
489
490
491
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_1mo_1463652393_x86_emulate.c
462
463
464
465
466
467
468
469
470
471
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
472
473
474
475
476
477
478
479
480
481
482
483
484
485
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
486
487
488
489
490
491
492
493
494
495
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_6mo_1452763955_x86_emulate.c
458
459
460
461
462
463
464
465
466
467
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
468
469
470
471
472
473
474
475
476
477
478
479
480
481
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
482
483
484
485
486
487
488
489
490
491
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-9383_before_1mo_1476446956_x86_emulate.c
143
144
145
146
147
148
149
150
151
152
{ /* * EA += BitOffset DIV op_bytes*8 * BitOffset = BitOffset MOD op_bytes*8 * DIV truncates towards negative infinity. * MOD always produces a positive result. */ if ( op_bytes == 2 ) src.val = (int16_t)src.val; else if ( op_bytes == 4 )
+ show +
153
154
155
156
157
158
159
160
161
162
163
164
165
166
src.val = (int32_t)src.val; if ( (long)src.val < 0 ) { unsigned long byte_offset; byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ea.mem.off -= byte_offset; src.val = (byte_offset << 3) + src.val; } else { ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); src.val &= (op_bytes << 3) - 1; } }
+ show +
167
168
169
170
171
172
173
174
175
176
/* Becomes a normal DstMem operation from here on. */ d = (d & ~DstMask) | DstMem; case DstMem: ea.bytes = (d & ByteOp) ? 1 : op_bytes; dst = ea; if ( dst.type == OP_REG ) { generate_exception_if(lock_prefix, EXC_UD, -1); switch ( dst.bytes ) {

[xen_CVE-2013-4370_1378811565_stub_xc_vcpu_getaffinity.diff] stub_xc_vcpu_getaffinity_OLD.c #1
retval = xc_vcpu_getaffinity(_H(xch), _D(domid), Int_val(vcpu), c_cpumap); - free(c_cpumap); - if (retval < 0) { free(c_cpumap); failwith_xc(_H(xch));
.\cloneFuncs\totalClone\Type-1\CVE-2013-4370_before_1mo_1357906949_stub_xc_vcpu_getaffinity.c
4
5
6
7
8
9
10
11
12
13
CAMLparam3(xch, domid, vcpu); CAMLlocal1(ret); xc_cpumap_t c_cpumap; int i, len = xc_get_max_cpus(_H(xch)); int retval; c_cpumap = xc_cpumap_alloc(_H(xch)); if (c_cpumap == NULL) failwith_xc(_H(xch));
+ show +
14
15
16
17
18
19
20
retval = xc_vcpu_getaffinity(_H(xch), _D(domid), Int_val(vcpu), c_cpumap); free(c_cpumap); if (retval < 0) { free(c_cpumap); failwith_xc(_H(xch));
+ show +
21
22
23
24
25
26
27
28
29
30
} ret = caml_alloc(len, 0); for (i=0; i<len; i++) { if (c_cpumap[i/8] & 1 << (i&7)) Store_field(ret, i, Val_true); else Store_field(ret, i, Val_false); }

[xen_CVE-2013-4371_1378808326_libxl_list_cpupool.diff] libxl_list_cpupool_OLD.c #1
if (!tmp) { LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info"); libxl_cpupoolinfo_list_free(ptr, i); + ptr = NULL; goto out; } ptr = tmp;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4371_before_1mo_1373022834_libxl_list_cpupool.c
5
6
7
8
9
10
11
12
13
14
int i; uint32_t poolid; ptr = NULL; poolid = 0; for (i = 0;; i++) { if (cpupool_info(gc, &info, poolid, false)) break; tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));
+ show +
15
16
17
18
19
20
if (!tmp) { LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info"); libxl_cpupoolinfo_list_free(ptr, i); goto out; } ptr = tmp;
+ show +
21
22
23
24
25
26
27
28
29
ptr[i] = info; poolid = info.poolid + 1; } *nb_pool_out = i; out: GC_FREE; return ptr; }

[xen_CVE-2013-4416_1383061553_send_reply.diff] send_reply_OLD.c #1
{ struct buffered_data *bdata; + if ( len > XENSTORE_PAYLOAD_MAX ) { + send_error(conn, E2BIG); + return; + } + /* Message is a child of the connection context for auto-cleanup. */ bdata = new_buffer(conn); bdata->buffer = talloc_array(bdata, char, len);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4416_before_1mo_1364210251_send_reply.c
1
2
void send_reply(struct connection *conn, enum xsd_sockmsg_type type, const void *data, unsigned int len)
+ show +
3
4
5
6
7
8
{ struct buffered_data *bdata; /* Message is a child of the connection context for auto-cleanup. */ bdata = new_buffer(conn); bdata->buffer = talloc_array(bdata, char, len);
+ show +
9
10
11
12
13
14
15
16
17
18
/* Echo request header in reply unless this is an async watch event. */ if (type != XS_WATCH_EVENT) { memcpy(&bdata->hdr.msg, &conn->in->hdr.msg, sizeof(struct xsd_sockmsg)); } else { memset(&bdata->hdr.msg, 0, sizeof(struct xsd_sockmsg)); } /* Update relevant header fields and fill in the message body. */

[qemu_CVE-2013-4533_1396543917_pxa2xx_ssp_load.diff] pxa2xx_ssp_load_OLD.c #1
static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) { PXA2xxSSPState *s = (PXA2xxSSPState *) opaque; - int i; + int i, v; s->enable = qemu_get_be32(f);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4533_before_1mo_1393435206_pxa2xx_ssp_load.c
+ show +
1
2
3
4
5
6
static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) { PXA2xxSSPState *s = (PXA2xxSSPState *) opaque; int i; s->enable = qemu_get_be32(f);
+ show +
7
8
9
10
11
12
13
14
15
16
qemu_get_be32s(f, &s->sscr[0]); qemu_get_be32s(f, &s->sscr[1]); qemu_get_be32s(f, &s->sspsp); qemu_get_be32s(f, &s->ssto); qemu_get_be32s(f, &s->ssitr); qemu_get_be32s(f, &s->sssr); qemu_get_8s(f, &s->sstsa); qemu_get_8s(f, &s->ssrsa); qemu_get_8s(f, &s->ssacd);

[qemu_CVE-2013-4534_1398690497_openpic_load.diff] openpic_load_OLD.c #1
static int openpic_load(QEMUFile* f, void *opaque, int version_id) { OpenPICState *opp = (OpenPICState *)opaque; - unsigned int i; + unsigned int i, nb_cpus; if (version_id != 1) { return -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2013-4534_before_1mo_1371395061_openpic_load.c
+ show +
1
2
3
4
5
6
7
static int openpic_load(QEMUFile* f, void *opaque, int version_id) { OpenPICState *opp = (OpenPICState *)opaque; unsigned int i; if (version_id != 1) { return -EINVAL;
+ show +
8
9
10
11
12
13
14
15
16
17
} qemu_get_be32s(f, &opp->gcr); qemu_get_be32s(f, &opp->vir); qemu_get_be32s(f, &opp->pir); qemu_get_be32s(f, &opp->spve); qemu_get_be32s(f, &opp->tfrr); qemu_get_be32s(f, &opp->nb_cpus);

[qemu_CVE-2013-4534_1398690497_openpic_load.diff] openpic_load_OLD.c #2
qemu_get_be32s(f, &opp->spve); qemu_get_be32s(f, &opp->tfrr); - qemu_get_be32s(f, &opp->nb_cpus); + qemu_get_be32s(f, &nb_cpus); + if (opp->nb_cpus != nb_cpus) { + return -EINVAL; + } + assert(nb_cpus > 0 && nb_cpus <= MAX_CPU); for (i = 0; i < opp->nb_cpus; i++) { qemu_get_sbe32s(f, &opp->dst[i].ctpr);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4534_before_1mo_1371395061_openpic_load.c
3
4
5
6
7
8
9
10
11
12
OpenPICState *opp = (OpenPICState *)opaque; unsigned int i; if (version_id != 1) { return -EINVAL; } qemu_get_be32s(f, &opp->gcr); qemu_get_be32s(f, &opp->vir); qemu_get_be32s(f, &opp->pir);
+ show +
13
14
15
16
17
18
19
qemu_get_be32s(f, &opp->spve); qemu_get_be32s(f, &opp->tfrr); qemu_get_be32s(f, &opp->nb_cpus); for (i = 0; i < opp->nb_cpus; i++) { qemu_get_sbe32s(f, &opp->dst[i].ctpr);
+ show +
20
21
22
23
24
25
26
27
28
29
openpic_load_IRQ_queue(f, &opp->dst[i].raised); openpic_load_IRQ_queue(f, &opp->dst[i].servicing); qemu_get_buffer(f, (uint8_t *)&opp->dst[i].outputs_active, sizeof(opp->dst[i].outputs_active)); } for (i = 0; i < OPENPIC_MAX_TMR; i++) { qemu_get_be32s(f, &opp->timers[i].tccr); qemu_get_be32s(f, &opp->timers[i].tbcr); }

[qemu_CVE-2013-4534_1398690497_openpic_realize.diff] openpic_realize_OLD.c #1
{NULL} }; + if (opp->nb_cpus > MAX_CPU) { + error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE, + TYPE_OPENPIC, "nb_cpus", (uint64_t)opp->nb_cpus, + (uint64_t)0, (uint64_t)MAX_CPU); + return; + } + switch (opp->model) { case OPENPIC_MODEL_FSL_MPIC_20: default:
.\cloneFuncs\totalClone\Type-1\CVE-2013-4534_before_1mo_1371395061_openpic_realize.c
24
25
26
27
28
29
30
31
32
33
OPENPIC_SRC_REG_START, OPENPIC_SRC_REG_SIZE}, {"cpu", &openpic_cpu_ops_be, OPENPIC_CPU_REG_START, OPENPIC_CPU_REG_SIZE}, {NULL} }; static const MemReg list_fsl[] = { {"msi", &openpic_msi_ops_be, OPENPIC_MSI_REG_START, OPENPIC_MSI_REG_SIZE}, {"summary", &openpic_summary_ops_be, OPENPIC_SUMMARY_REG_START, OPENPIC_SUMMARY_REG_SIZE},
+ show +
34
35
36
37
38
39
{NULL} }; switch (opp->model) { case OPENPIC_MODEL_FSL_MPIC_20: default:
+ show +
40
41
42
43
44
45
46
47
48
49
opp->fsl = &fsl_mpic_20; opp->brr1 = 0x00400200; opp->flags |= OPENPIC_FLAG_IDR_CRIT; opp->nb_irqs = 80; opp->mpic_mode_mask = GCR_MODE_MIXED; fsl_common_init(opp); map_list(opp, list_be, &list_count); map_list(opp, list_fsl, &list_count);

[qemu_CVE-2013-4535_1396543913_virtqueue_map_sg.diff] virtqueue_map_sg_OLD.c #1
unsigned int i; hwaddr len; + if (num_sg >= VIRTQUEUE_MAX_SIZE) { + error_report("virtio: map attempt out of bounds: %zd > %d", + num_sg, VIRTQUEUE_MAX_SIZE); + exit(1); + } + for (i = 0; i < num_sg; i++) { len = sg[i].iov_len; sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4535_before_1mo_1387257726_virtqueue_map_sg.c
1
2
3
void virtqueue_map_sg(struct iovec *sg, hwaddr *addr, size_t num_sg, int is_write) {
+ show +
4
5
6
7
8
9
unsigned int i; hwaddr len; for (i = 0; i < num_sg; i++) { len = sg[i].iov_len; sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
+ show +
10
11
12
13
14
15
if (sg[i].iov_base == NULL || len != sg[i].iov_len) { error_report("virtio: trying to map MMIO memory"); exit(1); } } }

[qemu_CVE-2013-4539_1396543929_tsc210x_load.diff] tsc210x_load_OLD.c #1
s->enabled = qemu_get_byte(f); s->host_mode = qemu_get_byte(f); s->function = qemu_get_byte(f); + if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) { + return -EINVAL; + } s->nextfunction = qemu_get_byte(f); + if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) { + return -EINVAL; + } s->precision = qemu_get_byte(f); + if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) { + return -EINVAL; + } s->nextprecision = qemu_get_byte(f); + if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) { + return -EINVAL; + } s->filter = qemu_get_byte(f); s->pin_func = qemu_get_byte(f); s->ref = qemu_get_byte(f);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4539_before_imd_1377097388_tsc210x_load.c
10
11
12
13
14
15
16
17
18
19
s->state = qemu_get_byte(f); s->page = qemu_get_byte(f); s->offset = qemu_get_byte(f); s->command = qemu_get_byte(f); s->irq = qemu_get_byte(f); qemu_get_be16s(f, &s->dav); timer_get(f, s->timer);
+ show +
20
21
22
23
24
25
26
27
28
s->enabled = qemu_get_byte(f); s->host_mode = qemu_get_byte(f); s->function = qemu_get_byte(f); s->nextfunction = qemu_get_byte(f); s->precision = qemu_get_byte(f); s->nextprecision = qemu_get_byte(f); s->filter = qemu_get_byte(f); s->pin_func = qemu_get_byte(f); s->ref = qemu_get_byte(f);
+ show +
29
30
31
32
33
34
35
36
37
38
s->timing = qemu_get_byte(f); s->noise = qemu_get_be32(f); qemu_get_be16s(f, &s->audio_ctrl1); qemu_get_be16s(f, &s->audio_ctrl2); qemu_get_be16s(f, &s->audio_ctrl3); qemu_get_be16s(f, &s->pll[0]); qemu_get_be16s(f, &s->pll[1]); qemu_get_be16s(f, &s->volume); s->volume_change = qemu_get_sbe64(f) + now;
.\cloneFuncs\totalClone\Type-2\CVE-2013-4539_before_1mo_1377097382_tsc210x_load.c
10
11
12
13
14
15
16
17
18
19
s->state = qemu_get_byte(f); s->page = qemu_get_byte(f); s->offset = qemu_get_byte(f); s->command = qemu_get_byte(f); s->irq = qemu_get_byte(f); qemu_get_be16s(f, &s->dav); timer_get(f, s->timer);
+ show +
20
21
22
23
24
25
26
27
28
s->enabled = qemu_get_byte(f); s->host_mode = qemu_get_byte(f); s->function = qemu_get_byte(f); s->nextfunction = qemu_get_byte(f); s->precision = qemu_get_byte(f); s->nextprecision = qemu_get_byte(f); s->filter = qemu_get_byte(f); s->pin_func = qemu_get_byte(f); s->ref = qemu_get_byte(f);
+ show +
29
30
31
32
33
34
35
36
37
38
s->timing = qemu_get_byte(f); s->noise = qemu_get_be32(f); qemu_get_be16s(f, &s->audio_ctrl1); qemu_get_be16s(f, &s->audio_ctrl2); qemu_get_be16s(f, &s->audio_ctrl3); qemu_get_be16s(f, &s->pll[0]); qemu_get_be16s(f, &s->pll[1]); qemu_get_be16s(f, &s->volume); s->volume_change = qemu_get_sbe64(f) + now;
.\cloneFuncs\totalClone\Type-2\CVE-2013-4539_before_6mo_1377097359_tsc210x_load.c
10
11
12
13
14
15
16
17
18
19
s->state = qemu_get_byte(f); s->page = qemu_get_byte(f); s->offset = qemu_get_byte(f); s->command = qemu_get_byte(f); s->irq = qemu_get_byte(f); qemu_get_be16s(f, &s->dav); qemu_get_timer(f, s->timer);
+ show +
20
21
22
23
24
25
26
27
28
s->enabled = qemu_get_byte(f); s->host_mode = qemu_get_byte(f); s->function = qemu_get_byte(f); s->nextfunction = qemu_get_byte(f); s->precision = qemu_get_byte(f); s->nextprecision = qemu_get_byte(f); s->filter = qemu_get_byte(f); s->pin_func = qemu_get_byte(f); s->ref = qemu_get_byte(f);
+ show +
29
30
31
32
33
34
35
36
37
38
s->timing = qemu_get_byte(f); s->noise = qemu_get_be32(f); qemu_get_be16s(f, &s->audio_ctrl1); qemu_get_be16s(f, &s->audio_ctrl2); qemu_get_be16s(f, &s->audio_ctrl3); qemu_get_be16s(f, &s->pll[0]); qemu_get_be16s(f, &s->pll[1]); qemu_get_be16s(f, &s->volume); s->volume_change = qemu_get_sbe64(f) + now;

[qemu_CVE-2013-4542_1396543937_virtio_scsi_load_request.diff] virtio_scsi_load_request_OLD.c #1
qemu_get_be32s(f, &n); assert(n < vs->conf.num_queues); qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); + /* TODO: add a way for SCSIBusInfo's load_request to fail, + * and fail migration instead of asserting here. + * When we do, we might be able to re-enable NDEBUG below. + */ +#ifdef NDEBUG +#error building with NDEBUG is not supported +#endif + assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg)); + assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg)); virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); scsi_req_ref(sreq);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4542_before_1mo_1389726986_virtio_scsi_load_request.c
1
2
3
4
5
6
7
8
9
static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq) { SCSIBus *bus = sreq->bus; VirtIOSCSI *s = container_of(bus, VirtIOSCSI, bus); VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s); VirtIOSCSIReq *req; uint32_t n; req = g_malloc(sizeof(*req));
+ show +
10
11
12
13
14
15
qemu_get_be32s(f, &n); assert(n < vs->conf.num_queues); qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); scsi_req_ref(sreq);
+ show +
16
17
18
19
20
21
22
23
24
req->sreq = sreq; if (req->sreq->cmd.mode != SCSI_XFER_NONE) { int req_mode = (req->elem.in_num > 1 ? SCSI_XFER_FROM_DEV : SCSI_XFER_TO_DEV); assert(req->sreq->cmd.mode == req_mode); } return req; }

[xen_CVE-2013-4551_1384157704_nvmx_handle_vmresume.diff] nvmx_handle_vmresume_OLD.c #1
struct vcpu *v = current; struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); struct nestedvmx *nvmx = &vcpu_2_nvmx(v); + int rc = vmx_inst_check_privilege(regs, 0); + + if ( rc != X86EMUL_OKAY ) + return rc; if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR ) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-4551_before_1mo_1380882609_nvmx_handle_vmresume.c
1
2
3
int nvmx_handle_vmresume(struct cpu_user_regs *regs) { bool_t launched;
+ show +
4
5
6
7
8
9
struct vcpu *v = current; struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); struct nestedvmx *nvmx = &vcpu_2_nvmx(v); if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR ) {
+ show +
10
11
12
13
14
15
16
17
18
19
vmreturn (regs, VMFAIL_INVALID); return X86EMUL_OKAY; } launched = vvmcs_launched(&nvmx->launched_list, domain_page_map_to_mfn(nvcpu->nv_vvmcx)); if ( !launched ) { vmreturn (regs, VMFAIL_VALID); return X86EMUL_OKAY; }

[linux_CVE-2013-4587_1384819762_kvm_vm_ioctl_create_vcpu.diff] kvm_vm_ioctl_create_vcpu_OLD.c #1
int r; struct kvm_vcpu *vcpu, *v; + if (id >= KVM_MAX_VCPUS) + return -EINVAL; + vcpu = kvm_arch_vcpu_create(kvm, id); if (IS_ERR(vcpu)) return PTR_ERR(vcpu);
.\cloneFuncs\totalClone\Type-1\CVE-2013-4587_before_1mo_1382018687_kvm_vm_ioctl_create_vcpu.c
1
2
static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) {
+ show +
3
4
5
6
7
8
int r; struct kvm_vcpu *vcpu, *v; vcpu = kvm_arch_vcpu_create(kvm, id); if (IS_ERR(vcpu)) return PTR_ERR(vcpu);
+ show +
9
10
11
12
13
14
15
16
17
18
preempt_notifier_init(&vcpu->preempt_notifier, &kvm_preempt_ops); r = kvm_arch_vcpu_setup(vcpu); if (r) goto vcpu_destroy; mutex_lock(&kvm->lock); if (!kvm_vcpu_compatible(vcpu)) { r = -EINVAL;

[linux_CVE-2013-6367_1384899138_apic_get_tmcct.diff] apic_get_tmcct_OLD.c #1
ASSERT(apic != NULL); /* if initial count is 0, current count should also be 0 */ - if (kvm_apic_get_reg(apic, APIC_TMICT) == 0) + if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 || + apic->lapic_timer.period == 0) return 0; remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
.\cloneFuncs\totalClone\Type-1\CVE-2013-6367_before_1mo_1374739162_apic_get_tmcct.c
1
2
3
4
5
6
static u32 apic_get_tmcct(struct kvm_lapic *apic) { ktime_t remaining; s64 ns; u32 tmcct;
+ show +
7
8
9
10
11
12
13
ASSERT(apic != NULL); /* if initial count is 0, current count should also be 0 */ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0) return 0; remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
+ show +
14
15
16
17
18
19
20
21
22
if (ktime_to_ns(remaining) < 0) remaining = ktime_set(0, 0); ns = mod_64(ktime_to_ns(remaining), apic->lapic_timer.period); tmcct = div64_u64(ns, (APIC_BUS_CYCLE_NS * apic->divide_count)); return tmcct; }

[linux_CVE-2013-6368_1384971802_kvm_arch_vcpu_ioctl.diff] kvm_arch_vcpu_ioctl_OLD.c #1
r = -EFAULT; if (copy_from_user(&va, argp, sizeof va)) goto out; - r = 0; - kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); + r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); break; } case KVM_X86_SETUP_MCE: {
.\cloneFuncs\totalClone\Type-1\CVE-2013-6368_before_1mo_1381164480_kvm_arch_vcpu_ioctl.c
113
114
115
116
117
118
119
120
121
122
goto out; r = 0; break; }; case KVM_SET_VAPIC_ADDR: { struct kvm_vapic_addr va; r = -EINVAL; if (!irqchip_in_kernel(vcpu->kvm)) goto out;
+ show +
123
124
125
126
127
128
129
130
r = -EFAULT; if (copy_from_user(&va, argp, sizeof va)) goto out; r = 0; kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); break; } case KVM_X86_SETUP_MCE: {
+ show +
131
132
133
134
135
136
137
138
139
140
u64 mcg_cap; r = -EFAULT; if (copy_from_user(&mcg_cap, argp, sizeof mcg_cap)) goto out; r = kvm_vcpu_ioctl_x86_setup_mce(vcpu, mcg_cap); break; } case KVM_X86_SET_MCE: { struct kvm_x86_mce mce;

[linux_CVE-2013-6368_1384971802___vcpu_run.diff] __vcpu_run_OLD.c #1
struct kvm *kvm = vcpu->kvm; vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); - r = vapic_enter(vcpu); - if (r) { - srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); - return r; - } r = 1; while (r > 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-6368_before_1mo_1381164480___vcpu_run.c
1
2
3
static int __vcpu_run(struct kvm_vcpu *vcpu) { int r;
+ show +
4
5
6
7
8
9
10
11
12
13
14
struct kvm *kvm = vcpu->kvm; vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); r = vapic_enter(vcpu); if (r) { srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); return r; } r = 1; while (r > 0) {
+ show +
15
16
17
18
19
20
21
22
23
24
if (vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE && !vcpu->arch.apf.halted) r = vcpu_enter_guest(vcpu); else { srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); kvm_vcpu_block(vcpu); vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); if (kvm_check_request(KVM_REQ_UNHALT, vcpu)) { kvm_apic_accept_events(vcpu); switch(vcpu->arch.mp_state) {
.\cloneFuncs\totalClone\Type-3\CVE-2013-6368_before_6mo_1368141701___vcpu_run.c
1
2
3
static int __vcpu_run(struct kvm_vcpu *vcpu) { int r;
+ show +
4
5
6
7
8
9
10
11
12
13
14
struct kvm *kvm = vcpu->kvm; vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); r = vapic_enter(vcpu); if (r) { srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); return r; } r = 1; while (r > 0) {
+ show +
15
16
17
18
19
20
21
22
23
24
if (vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE && !vcpu->arch.apf.halted) r = vcpu_enter_guest(vcpu); else { srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); kvm_vcpu_block(vcpu); vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); if (kvm_check_request(KVM_REQ_UNHALT, vcpu)) { kvm_apic_accept_events(vcpu); switch(vcpu->arch.mp_state) {

[linux_CVE-2013-6376_1417114993_kvm_irq_delivery_to_apic_fast.diff] kvm_irq_delivery_to_apic_fast_OLD.c #1
dst = &map->phys_map[irq->dest_id]; } else { u32 mda = irq->dest_id << (32 - map->ldr_bits); + u16 cid = apic_cluster_id(map, mda); - dst = map->logical_map[apic_cluster_id(map, mda)]; + if (cid >= ARRAY_SIZE(map->logical_map)) + goto out; + + dst = map->logical_map[cid]; bitmap = apic_logical_id(map, mda);
.\cloneFuncs\totalClone\Type-1\CVE-2013-6376_before_imd_1417127419_kvm_irq_delivery_to_apic_fast.c
25
26
27
28
29
30
31
32
33
34
if (irq->dest_id == map->broadcast) goto out; ret = true; if (irq->dest_mode == 0) { /* physical mode */ if (irq->dest_id >= ARRAY_SIZE(map->phys_map)) goto out;
+ show +
35
36
37
38
39
40
41
dst = &map->phys_map[irq->dest_id]; } else { u32 mda = irq->dest_id << (32 - map->ldr_bits); dst = map->logical_map[apic_cluster_id(map, mda)]; bitmap = apic_logical_id(map, mda);
+ show +
42
43
44
45
46
47
48
49
50
51
if (irq->delivery_mode == APIC_DM_LOWEST) { int l = -1; for_each_set_bit(i, &bitmap, 16) { if (!dst[i]) continue; if (l < 0) l = i; else if (kvm_apic_compare_prio(dst[i]->vcpu, dst[l]->vcpu) < 0) l = i;

[linux_CVE-2013-6376_1417114993_recalculate_apic_map.diff] recalculate_apic_map_OLD.c #1
if (apic_x2apic_mode(apic)) { new->ldr_bits = 32; new->cid_shift = 16; - new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1; - new->lid_mask = 0xffff; + new->cid_mask = new->lid_mask = 0xffff; new->broadcast = X2APIC_BROADCAST; } else if (kvm_apic_get_reg(apic, APIC_LDR)) { if (kvm_apic_get_reg(apic, APIC_DFR) ==
.\cloneFuncs\totalClone\Type-1\CVE-2013-6376_before_imd_1417127419_recalculate_apic_map.c
17
18
19
20
21
22
23
24
25
26
new->cid_mask = 0; new->lid_mask = 0xff; new->broadcast = APIC_BROADCAST; kvm_for_each_vcpu(i, vcpu, kvm) { struct kvm_lapic *apic = vcpu->arch.apic; if (!kvm_apic_present(vcpu)) continue;
+ show +
27
28
29
30
31
32
33
34
if (apic_x2apic_mode(apic)) { new->ldr_bits = 32; new->cid_shift = 16; new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1; new->lid_mask = 0xffff; new->broadcast = X2APIC_BROADCAST; } else if (kvm_apic_get_reg(apic, APIC_LDR)) { if (kvm_apic_get_reg(apic, APIC_DFR) ==
+ show +
35
36
37
38
39
40
41
42
43
44
APIC_DFR_CLUSTER) { new->cid_shift = 4; new->cid_mask = 0xf; new->lid_mask = 0xf; } else { new->cid_shift = 8; new->cid_mask = 0; new->lid_mask = 0xff; } }

[qemu_CVE-2014-0182_1398690503_virtio_load.diff] virtio_load_OLD.c #1
int virtio_load(VirtIODevice *vdev, QEMUFile *f) { int i, ret; + int32_t config_len; uint32_t num; uint32_t features; uint32_t supported_features;
.\cloneFuncs\totalClone\Type-1\CVE-2013-6399_after_imd_1396543913_virtio_load.c
+ show +
1
2
3
4
5
6
int virtio_load(VirtIODevice *vdev, QEMUFile *f) { int i, ret; uint32_t num; uint32_t features; uint32_t supported_features;
+ show +
7
8
9
10
11
12
13
14
15
16
BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus); if (k->load_config) { ret = k->load_config(qbus->parent, f); if (ret) return ret; } qemu_get_8s(f, &vdev->status);
.\cloneFuncs\totalClone\Type-1\CVE-2013-6399_before_imd_1396543874_virtio_load.c
+ show +
1
2
3
4
5
6
int virtio_load(VirtIODevice *vdev, QEMUFile *f) { int i, ret; uint32_t num; uint32_t features; uint32_t supported_features;
+ show +
7
8
9
10
11
12
13
14
15
16
BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus); if (k->load_config) { ret = k->load_config(qbus->parent, f); if (ret) return ret; } qemu_get_8s(f, &vdev->status);

[openssl_CVE-2013-6450_1387553210_tls1_change_cipher_state.diff] tls1_change_cipher_state_OLD.c #1
s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; else s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; - if (s->enc_write_ctx != NULL) + if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) reuse_dd = 1; - else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) + else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) goto err; - else - /* make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; - mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + if (SSL_IS_DTLS(s)) + { + mac_ctx = EVP_MD_CTX_create(); + if (!mac_ctx) + goto err; + s->write_hash = mac_ctx; + } + else + mac_ctx = ssl_replace_hash(&s->write_hash,NULL); #ifndef OPENSSL_NO_COMP if (s->compress != NULL) {
.\cloneFuncs\totalClone\Type-1\CVE-2013-6450_before_1mo_1363972353_tls1_change_cipher_state.c
86
87
88
89
90
91
92
93
94
95
#endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ if (s->version != DTLS1_VERSION) memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); mac_secret_size=&(s->s3->read_mac_secret_size); } else { if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
+ show +
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; else s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; if (s->enc_write_ctx != NULL) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; mac_ctx = ssl_replace_hash(&s->write_hash,NULL); #ifndef OPENSSL_NO_COMP if (s->compress != NULL) {
+ show +
111
112
113
114
115
116
117
118
119
120
COMP_CTX_free(s->compress); s->compress=NULL; } if (comp != NULL) { s->compress=COMP_CTX_new(comp->method); if (s->compress == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2;

[xen_CVE-2013-6885_1386060594_init_amd.diff] init_amd_OLD.c #1
"*** Pass \"allow_unsafe\" if you're trusting" " all your (PV) guest kernels. ***\n"); + if (c->x86 == 0x16 && c->x86_model <= 0xf) { + rdmsrl(MSR_AMD64_LS_CFG, value); + if (!(value & (1 << 15))) { + static bool_t warned; + + if (c == &boot_cpu_data || opt_cpu_info || + !test_and_set_bool(warned)) + printk(KERN_WARNING + "CPU%u: Applying workaround for erratum 793\n", + smp_processor_id()); + wrmsrl(MSR_AMD64_LS_CFG, value | (1 << 15)); + } + } + /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
.\cloneFuncs\totalClone\Type-1\CVE-2013-6885_before_imd_1383664911_init_amd.c
100
101
102
103
104
105
106
107
108
109
opt_allow_unsafe = 1; else if (opt_allow_unsafe < 0) panic("Xen will not boot on this CPU for security reasons.\n" "Pass \"allow_unsafe\" if you're trusting all your" " (PV) guest kernels.\n"); else if (!opt_allow_unsafe && c == &boot_cpu_data) printk(KERN_WARNING "*** Xen will not allow creation of DomU-s on" " this CPU for security reasons. ***\n" KERN_WARNING
+ show +
110
111
112
113
114
"*** Pass \"allow_unsafe\" if you're trusting" " all your (PV) guest kernels. ***\n"); /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ show +
115
116
117
118
119
120
121
122
123
124
if (c->x86 == 0x10) { /* do this for boot cpu */ if (c == &boot_cpu_data) check_enable_amd_mmconf_dmi(); fam10h_check_enable_mmcfg(); /* * On family 10h BIOS may not have properly enabled WC+
.\cloneFuncs\totalClone\Type-2\CVE-2013-6885_before_1mo_1358508058_init_amd.c
100
101
102
103
104
105
106
107
108
109
opt_allow_unsafe = 1; else if (opt_allow_unsafe < 0) panic("Xen will not boot on this CPU for security reasons.\n" "Pass \"allow_unsafe\" if you're trusting all your" " (PV) guest kernels.\n"); else if (!opt_allow_unsafe && c == &boot_cpu_data) printk(KERN_WARNING "*** Xen will not allow creation of DomU-s on" " this CPU for security reasons. ***\n" KERN_WARNING
+ show +
110
111
112
113
114
"*** Pass \"allow_unsafe\" if you're trusting" " all your (PV) guest kernels. ***\n"); /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ show +
115
116
117
118
119
120
121
122
123
124
if (c->x86 == 0x10) { /* do this for boot cpu */ if (c == &boot_cpu_data) check_enable_amd_mmconf_dmi(); fam10h_check_enable_mmcfg(); /* * On family 10h BIOS may not have properly enabled WC+
.\cloneFuncs\totalClone\Type-3\CVE-2012-2934_after_1mo_1347452970_init_amd.c
126
127
128
129
130
131
132
133
134
135
opt_allow_unsafe = 1; else if (opt_allow_unsafe < 0) panic("Xen will not boot on this CPU for security reasons.\n" "Pass \"allow_unsafe\" if you're trusting all your" " (PV) guest kernels.\n"); else if (!opt_allow_unsafe && c == &boot_cpu_data) printk(KERN_WARNING "*** Xen will not allow creation of DomU-s on" " this CPU for security reasons. ***\n" KERN_WARNING
+ show +
136
137
138
139
140
"*** Pass \"allow_unsafe\" if you're trusting" " all your (PV) guest kernels. ***\n"); /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ show +
141
142
143
144
145
146
147
148
149
150
if (c->x86 == 0x10) { /* do this for boot cpu */ if (c == &boot_cpu_data) check_enable_amd_mmconf_dmi(); fam10h_check_enable_mmcfg(); } /*
.\cloneFuncs\totalClone\Type-3\CVE-2012-2934_after_6mo_1355913729_init_amd.c
100
101
102
103
104
105
106
107
108
109
opt_allow_unsafe = 1; else if (opt_allow_unsafe < 0) panic("Xen will not boot on this CPU for security reasons.\n" "Pass \"allow_unsafe\" if you're trusting all your" " (PV) guest kernels.\n"); else if (!opt_allow_unsafe && c == &boot_cpu_data) printk(KERN_WARNING "*** Xen will not allow creation of DomU-s on" " this CPU for security reasons. ***\n" KERN_WARNING
+ show +
110
111
112
113
114
"*** Pass \"allow_unsafe\" if you're trusting" " all your (PV) guest kernels. ***\n"); /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ show +
115
116
117
118
119
120
121
122
123
124
if (c->x86 == 0x10) { /* do this for boot cpu */ if (c == &boot_cpu_data) check_enable_amd_mmconf_dmi(); fam10h_check_enable_mmcfg(); } /*
.\cloneFuncs\totalClone\Type-3\CVE-2012-2934_after_imd_1345445207_init_amd.c
129
130
131
132
133
134
135
136
137
138
opt_allow_unsafe = 1; else if (opt_allow_unsafe < 0) panic("Xen will not boot on this CPU for security reasons.\n" "Pass \"allow_unsafe\" if you're trusting all your" " (PV) guest kernels.\n"); else if (!opt_allow_unsafe && c == &boot_cpu_data) printk(KERN_WARNING "*** Xen will not allow creation of DomU-s on" " this CPU for security reasons. ***\n" KERN_WARNING
+ show +
139
140
141
142
143
"*** Pass \"allow_unsafe\" if you're trusting" " all your (PV) guest kernels. ***\n"); /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ show +
144
145
146
147
148
149
150
151
152
153
if (c->x86 == 0x10) { /* do this for boot cpu */ if (c == &boot_cpu_data) check_enable_amd_mmconf_dmi(); fam10h_check_enable_mmcfg(); } #endif

[ffmpeg_CVE-2013-7020_1377831069_read_header.diff] read_header_OLD.c #1
memset(state, 128, sizeof(state)); if (f->version < 2) { + int chroma_planes, chroma_h_shift, chroma_v_shift, transparency, colorspace, bits_per_raw_sample; unsigned v = get_symbol(c, state, 0); if (v > 1) { av_log(f->avctx, AV_LOG_ERROR,
.\cloneFuncs\totalClone\Type-1\CVE-2013-7020_before_imd_1398715713_read_header.c
1
2
3
4
5
6
static int read_header(FFV1Context *f) { uint8_t state[CONTEXT_SIZE]; int i, j, context_count = -1; RangeCoder *const c = &f->slice_context[0]->c;
+ show +
7
8
9
10
11
12
memset(state, 128, sizeof(state)); if (f->version < 2) { unsigned v = get_symbol(c, state, 0); if (v > 1) { av_log(f->avctx, AV_LOG_ERROR,
+ show +
13
14
15
16
17
18
19
20
21
22
"invalid version %d in version 1 header\n", v); return AVERROR_INVALIDDATA; } f->version = v; f->ac = f->avctx->coder_type = get_symbol(c, state, 0); if (f->ac > 1) { for (i = 1; i < 256; i++) f->state_transition[i] =
.\cloneFuncs\totalClone\Type-3\CVE-2013-7020_before_1mo_1368366109_read_header.c
1
2
3
4
5
6
static int read_header(FFV1Context *f) { uint8_t state[CONTEXT_SIZE]; int i, j, context_count = -1; RangeCoder *const c = &f->slice_context[0]->c;
+ show +
7
8
9
10
11
12
memset(state, 128, sizeof(state)); if (f->version < 2) { unsigned v = get_symbol(c, state, 0); if (v > 1) { av_log(f->avctx, AV_LOG_ERROR,
+ show +
13
14
15
16
17
18
19
20
21
22
"invalid version %d in version 1 header\n", v); return AVERROR_INVALIDDATA; } f->version = v; f->ac = f->avctx->coder_type = get_symbol(c, state, 0); if (f->ac > 1) { for (i = 1; i < 256; i++) f->state_transition[i] =
.\cloneFuncs\totalClone\Type-3\CVE-2013-7020_before_6mo_1361646638_read_header.c
1
2
3
4
5
6
static int read_header(FFV1Context *f) { uint8_t state[CONTEXT_SIZE]; int i, j, context_count = -1; RangeCoder *const c = &f->slice_context[0]->c;
+ show +
7
8
9
10
11
12
memset(state, 128, sizeof(state)); if (f->version < 2) { unsigned v = get_symbol(c, state, 0); if (v > 1) { av_log(f->avctx, AV_LOG_ERROR,
+ show +
13
14
15
16
17
18
19
20
21
22
"invalid version %d in version 1 header\n", v); return AVERROR_INVALIDDATA; } f->version = v; f->ac = f->avctx->coder_type = get_symbol(c, state, 0); if (f->ac > 1) { for (i = 1; i < 256; i++) f->state_transition[i] =

[ffmpeg_CVE-2013-7020_1377831069_read_header.diff] read_header_OLD.c #2
get_symbol(c, state, 1) + c->one_state[i]; } - f->colorspace = get_symbol(c, state, 0); //YUV cs type + colorspace = get_symbol(c, state, 0); //YUV cs type + bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample; + chroma_planes = get_rac(c, state); + chroma_h_shift = get_symbol(c, state, 0); + chroma_v_shift = get_symbol(c, state, 0); + transparency = get_rac(c, state); + + if (f->plane_count) { + if (colorspace != f->colorspace || + bits_per_raw_sample != f->avctx->bits_per_raw_sample || + chroma_planes != f->chroma_planes || + chroma_h_shift != f->chroma_h_shift || + chroma_v_shift != f->chroma_v_shift || + transparency != f->transparency) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n"); + return AVERROR_INVALIDDATA; + } + } - if (f->version > 0) - f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); + f->colorspace = colorspace; + f->avctx->bits_per_raw_sample = bits_per_raw_sample; + f->chroma_planes = chroma_planes; + f->chroma_h_shift = chroma_h_shift; + f->chroma_v_shift = chroma_v_shift; + f->transparency = transparency; - f->chroma_planes = get_rac(c, state); - f->chroma_h_shift = get_symbol(c, state, 0); - f->chroma_v_shift = get_symbol(c, state, 0); - f->transparency = get_rac(c, state); f->plane_count = 2 + f->transparency; }
.\cloneFuncs\totalClone\Type-1\CVE-2013-7020_before_imd_1398715713_read_header.c
13
14
15
16
17
18
19
20
21
22
"invalid version %d in version 1 header\n", v); return AVERROR_INVALIDDATA; } f->version = v; f->ac = f->avctx->coder_type = get_symbol(c, state, 0); if (f->ac > 1) { for (i = 1; i < 256; i++) f->state_transition[i] =
+ show +
23
24
25
26
27
28
29
30
31
32
33
34
35
36
get_symbol(c, state, 1) + c->one_state[i]; } f->colorspace = get_symbol(c, state, 0); //YUV cs type if (f->version > 0) f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); f->chroma_planes = get_rac(c, state); f->chroma_h_shift = get_symbol(c, state, 0); f->chroma_v_shift = get_symbol(c, state, 0); f->transparency = get_rac(c, state); f->plane_count = 2 + f->transparency; }
+ show +
37
38
39
40
41
42
43
44
45
46
if (f->colorspace == 0) { if (!f->transparency && !f->chroma_planes) { if (f->avctx->bits_per_raw_sample <= 8) f->avctx->pix_fmt = AV_PIX_FMT_GRAY8; else f->avctx->pix_fmt = AV_PIX_FMT_GRAY16; } else if (f->avctx->bits_per_raw_sample <= 8 && !f->transparency) { switch (16 * f->chroma_h_shift + f->chroma_v_shift) { case 0x00:
.\cloneFuncs\totalClone\Type-3\CVE-2013-7020_before_1mo_1368366109_read_header.c
13
14
15
16
17
18
19
20
21
22
"invalid version %d in version 1 header\n", v); return AVERROR_INVALIDDATA; } f->version = v; f->ac = f->avctx->coder_type = get_symbol(c, state, 0); if (f->ac > 1) { for (i = 1; i < 256; i++) f->state_transition[i] =
+ show +
23
24
25
26
27
28
29
30
31
32
33
34
35
36
get_symbol(c, state, 1) + c->one_state[i]; } f->colorspace = get_symbol(c, state, 0); //YUV cs type if (f->version > 0) f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); f->chroma_planes = get_rac(c, state); f->chroma_h_shift = get_symbol(c, state, 0); f->chroma_v_shift = get_symbol(c, state, 0); f->transparency = get_rac(c, state); f->plane_count = 2 + f->transparency; }
+ show +
37
38
39
40
41
42
43
44
45
46
if (f->colorspace == 0) { if (!f->transparency && !f->chroma_planes) { if (f->avctx->bits_per_raw_sample <= 8) f->avctx->pix_fmt = AV_PIX_FMT_GRAY8; else f->avctx->pix_fmt = AV_PIX_FMT_GRAY16; } else if (f->avctx->bits_per_raw_sample <= 8 && !f->transparency) { switch (16 * f->chroma_h_shift + f->chroma_v_shift) { case 0x00:
.\cloneFuncs\totalClone\Type-3\CVE-2013-7020_before_6mo_1361646638_read_header.c
13
14
15
16
17
18
19
20
21
22
"invalid version %d in version 1 header\n", v); return AVERROR_INVALIDDATA; } f->version = v; f->ac = f->avctx->coder_type = get_symbol(c, state, 0); if (f->ac > 1) { for (i = 1; i < 256; i++) f->state_transition[i] =
+ show +
23
24
25
26
27
28
29
30
31
32
33
34
35
36
get_symbol(c, state, 1) + c->one_state[i]; } f->colorspace = get_symbol(c, state, 0); //YUV cs type if (f->version > 0) f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); f->chroma_planes = get_rac(c, state); f->chroma_h_shift = get_symbol(c, state, 0); f->chroma_v_shift = get_symbol(c, state, 0); f->transparency = get_rac(c, state); f->plane_count = 2 + f->transparency; }
+ show +
37
38
39
40
41
42
43
44
45
46
if (f->colorspace == 0) { if (!f->transparency && !f->chroma_planes) { if (f->avctx->bits_per_raw_sample <= 8) f->avctx->pix_fmt = AV_PIX_FMT_GRAY8; else f->avctx->pix_fmt = AV_PIX_FMT_GRAY16; } else if (f->avctx->bits_per_raw_sample <= 8 && !f->transparency) { switch (16 * f->chroma_h_shift + f->chroma_v_shift) { case 0x00:

[linux_CVE-2014-0049_1393526114_complete_emulated_mmio.diff] complete_emulated_mmio_OLD.c #1
frag->len -= len; } - if (vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments) { + if (vcpu->mmio_cur_fragment >= vcpu->mmio_nr_fragments) { vcpu->mmio_needed = 0; /* FIXME: return into emulator if single-stepping. */
.\cloneFuncs\totalClone\Type-1\CVE-2014-0049_before_1mo_1390578524_complete_emulated_mmio.c
13
14
15
16
17
18
19
20
21
22
memcpy(frag->data, run->mmio.data, len); if (frag->len <= 8) { /* Switch to the next fragment. */ frag++; vcpu->mmio_cur_fragment++; } else { /* Go forward to the next mmio piece. */ frag->data += len; frag->gpa += len;
+ show +
23
24
25
26
27
28
29
frag->len -= len; } if (vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments) { vcpu->mmio_needed = 0; /* FIXME: return into emulator if single-stepping. */
+ show +
30
31
32
33
34
35
36
37
38
39
if (vcpu->mmio_is_write) return 1; vcpu->mmio_read_completed = 1; return complete_emulated_io(vcpu); } run->exit_reason = KVM_EXIT_MMIO; run->mmio.phys_addr = frag->gpa; if (vcpu->mmio_is_write) memcpy(run->mmio.data, frag->data, min(8u, frag->len));

[linux_CVE-2014-0055_1395917617_get_rx_bufs.diff] get_rx_bufs_OLD.c #1
r = -ENOBUFS; goto err; } - d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, + r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, ARRAY_SIZE(vq->iov) - seg, &out, &in, log, log_num); + if (unlikely(r < 0)) + goto err; + + d = r; if (d == vq->num) { r = 0; goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0055_before_imd_1395914426_get_rx_bufs.c
7
8
9
10
11
12
13
14
15
16
unsigned int quota) { unsigned int out, in; int seg = 0; int headcount = 0; unsigned d; int r, nlogs = 0; while (datalen > 0 && headcount < quota) { if (unlikely(seg >= UIO_MAXIOV)) {
+ show +
17
18
19
20
21
22
23
24
25
r = -ENOBUFS; goto err; } d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, ARRAY_SIZE(vq->iov) - seg, &out, &in, log, log_num); if (d == vq->num) { r = 0; goto err;
+ show +
26
27
28
29
30
31
32
33
34
35
} if (unlikely(out || in <= 0)) { vq_err(vq, "unexpected descriptor format for RX: " "out %d, in %d\n", out, in); r = -EINVAL; goto err; } if (unlikely(log)) { nlogs += *log_num; log += *log_num;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0077_before_1mo_1392284525_get_rx_bufs.c
7
8
9
10
11
12
13
14
15
16
unsigned int quota) { unsigned int out, in; int seg = 0; int headcount = 0; unsigned d; int r, nlogs = 0; while (datalen > 0 && headcount < quota) { if (unlikely(seg >= UIO_MAXIOV)) {
+ show +
17
18
19
20
21
22
23
24
25
r = -ENOBUFS; goto err; } d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, ARRAY_SIZE(vq->iov) - seg, &out, &in, log, log_num); if (d == vq->num) { r = 0; goto err;
+ show +
26
27
28
29
30
31
32
33
34
35
} if (unlikely(out || in <= 0)) { vq_err(vq, "unexpected descriptor format for RX: " "out %d, in %d\n", out, in); r = -EINVAL; goto err; } if (unlikely(log)) { nlogs += *log_num; log += *log_num;

[linux_CVE-2014-0069_1392380435_cifs_iovec_write.diff] cifs_iovec_write_OLD.c #1
unsigned long nr_segs, loff_t *poffset) { unsigned long nr_pages, i; - size_t copied, len, cur_len; + size_t bytes, copied, len, cur_len; ssize_t total_written = 0; loff_t offset; struct iov_iter it;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0069_before_imd_1392062896_cifs_iovec_write.c
1
2
static ssize_t cifs_iovec_write(struct file *file, const struct iovec *iov,
+ show +
3
4
5
6
7
8
9
unsigned long nr_segs, loff_t *poffset) { unsigned long nr_pages, i; size_t copied, len, cur_len; ssize_t total_written = 0; loff_t offset; struct iov_iter it;
+ show +
10
11
12
13
14
15
16
17
18
19
struct cifsFileInfo *open_file; struct cifs_tcon *tcon; struct cifs_sb_info *cifs_sb; struct cifs_writedata *wdata, *tmp; struct list_head wdata_list; int rc; pid_t pid; len = iov_length(iov, nr_segs); if (!len)
.\cloneFuncs\totalClone\Type-3\CVE-2014-0069_before_1mo_1384209757_cifs_iovec_write.c
1
2
static ssize_t cifs_iovec_write(struct file *file, const struct iovec *iov,
+ show +
3
4
5
6
7
8
9
unsigned long nr_segs, loff_t *poffset) { unsigned long nr_pages, i; size_t copied, len, cur_len; ssize_t total_written = 0; loff_t offset; struct iov_iter it;
+ show +
10
11
12
13
14
15
16
17
18
19
struct cifsFileInfo *open_file; struct cifs_tcon *tcon; struct cifs_sb_info *cifs_sb; struct cifs_writedata *wdata, *tmp; struct list_head wdata_list; int rc; pid_t pid; len = iov_length(iov, nr_segs); if (!len)

[linux_CVE-2014-0069_1392380435_cifs_iovec_write.diff] cifs_iovec_write_OLD.c #2
save_len = cur_len; for (i = 0; i < nr_pages; i++) { - copied = min_t(const size_t, cur_len, PAGE_SIZE); + bytes = min_t(const size_t, cur_len, PAGE_SIZE); copied = iov_iter_copy_from_user(wdata->pages[i], &it, - 0, copied); + 0, bytes); cur_len -= copied; iov_iter_advance(&it, copied); + /* + * If we didn't copy as much as we expected, then that + * may mean we trod into an unmapped area. Stop copying + * at that point. On the next pass through the big + * loop, we'll likely end up getting a zero-length + * write and bailing out of it. + */ + if (copied < bytes) + break; } cur_len = save_len - cur_len; + /* + * If we have no data to send, then that probably means that + * the copy above failed altogether. That's most likely because + * the address in the iovec was bogus. Set the rc to -EFAULT, + * free anything we allocated and bail out. + */ + if (!cur_len) { + for (i = 0; i < nr_pages; i++) + put_page(wdata->pages[i]); + kfree(wdata); + rc = -EFAULT; + break; + } + + /* + * i + 1 now represents the number of pages we actually used in + * the copy phase above. Bring nr_pages down to that, and free + * any pages that we didn't use. + */ + for ( ; nr_pages > i + 1; nr_pages--) + put_page(wdata->pages[nr_pages - 1]); + wdata->sync_mode = WB_SYNC_ALL; wdata->nr_pages = nr_pages; wdata->offset = (__u64)offset;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0069_before_imd_1392062896_cifs_iovec_write.c
49
50
51
52
53
54
55
56
57
58
rc = -ENOMEM; break; } rc = cifs_write_allocate_pages(wdata->pages, nr_pages); if (rc) { kfree(wdata); break; }
+ show +
59
60
61
62
63
64
65
66
67
68
69
70
71
save_len = cur_len; for (i = 0; i < nr_pages; i++) { copied = min_t(const size_t, cur_len, PAGE_SIZE); copied = iov_iter_copy_from_user(wdata->pages[i], &it, 0, copied); cur_len -= copied; iov_iter_advance(&it, copied); } cur_len = save_len - cur_len; wdata->sync_mode = WB_SYNC_ALL; wdata->nr_pages = nr_pages; wdata->offset = (__u64)offset;
+ show +
72
73
74
75
76
77
78
79
80
81
wdata->cfile = cifsFileInfo_get(open_file); wdata->pid = pid; wdata->bytes = cur_len; wdata->pagesz = PAGE_SIZE; wdata->tailsz = cur_len - ((nr_pages - 1) * PAGE_SIZE); rc = cifs_uncached_retry_writev(wdata); if (rc) { kref_put(&wdata->refcount, cifs_uncached_writedata_release); break;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0069_before_1mo_1384209757_cifs_iovec_write.c
49
50
51
52
53
54
55
56
57
58
rc = -ENOMEM; break; } rc = cifs_write_allocate_pages(wdata->pages, nr_pages); if (rc) { kfree(wdata); break; }
+ show +
59
60
61
62
63
64
65
66
67
68
69
70
71
save_len = cur_len; for (i = 0; i < nr_pages; i++) { copied = min_t(const size_t, cur_len, PAGE_SIZE); copied = iov_iter_copy_from_user(wdata->pages[i], &it, 0, copied); cur_len -= copied; iov_iter_advance(&it, copied); } cur_len = save_len - cur_len; wdata->sync_mode = WB_SYNC_ALL; wdata->nr_pages = nr_pages; wdata->offset = (__u64)offset;
+ show +
72
73
74
75
76
77
78
79
80
81
wdata->cfile = cifsFileInfo_get(open_file); wdata->pid = pid; wdata->bytes = cur_len; wdata->pagesz = PAGE_SIZE; wdata->tailsz = cur_len - ((nr_pages - 1) * PAGE_SIZE); rc = cifs_uncached_retry_writev(wdata); if (rc) { kref_put(&wdata->refcount, cifs_writedata_release); break; }

[openssl_CVE-2014-0076_1394633779_ec_GF2m_montgomery_point_multiply.diff] ec_GF2m_montgomery_point_multiply_OLD.c #1
x2 = &r->X; z2 = &r->Y; + bn_wexpand(x1, group->field.top); + bn_wexpand(z1, group->field.top); + bn_wexpand(x2, group->field.top); + bn_wexpand(z2, group->field.top); + if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ if (!BN_one(z1)) goto err; /* z1 = 1 */ if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
.\cloneFuncs\totalClone\Type-1\CVE-2014-0076_before_1mo_1297531412_ec_GF2m_montgomery_point_multiply.c
20
21
22
23
24
25
26
27
28
29
/* only support affine coordinates */ if (!point->Z_is_one) return 0; /* Since point_multiply is static we can guarantee that ctx != NULL. */ BN_CTX_start(ctx); x1 = BN_CTX_get(ctx); z1 = BN_CTX_get(ctx); if (z1 == NULL) goto err;
+ show +
30
31
32
33
34
35
x2 = &r->X; z2 = &r->Y; if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ if (!BN_one(z1)) goto err; /* z1 = 1 */ if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
+ show +
36
37
38
39
40
41
42
43
44
45
if (!group->meth->field_sqr(group, x2, z2, ctx)) goto err; if (!BN_GF2m_add(x2, x2, &group->b)) goto err; /* x2 = x^4 + b */ /* find top most bit and go one past it */ i = scalar->top - 1; mask = BN_TBIT; word = scalar->d[i]; while (!(word & mask)) mask >>= 1; mask >>= 1; /* if top most bit was at word break, go to next word */

[openssl_CVE-2014-0076_1394633779_ec_GF2m_montgomery_point_multiply.diff] ec_GF2m_montgomery_point_multiply_OLD.c #2
word = scalar->d[i]; while (mask) { - if (word & mask) - { - if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; - if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; - } - else - { - if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; - if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; - } + BN_consttime_swap(word & mask, x1, x2, group->field.top); + BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; + if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; + BN_consttime_swap(word & mask, x1, x2, group->field.top); + BN_consttime_swap(word & mask, z1, z2, group->field.top); mask >>= 1; } mask = BN_TBIT;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0076_before_1mo_1297531412_ec_GF2m_montgomery_point_multiply.c
44
45
46
47
48
49
50
51
52
53
mask >>= 1; /* if top most bit was at word break, go to next word */ if (!mask) { i--; mask = BN_TBIT; } for (; i >= 0; i--) {
+ show +
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
word = scalar->d[i]; while (mask) { if (word & mask) { if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; } else { if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; } mask >>= 1; } mask = BN_TBIT;
+ show +
70
71
72
73
74
75
76
77
78
79
} /* convert out of "projective" coordinates */ i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx); if (i == 0) goto err; else if (i == 1) { if (!EC_POINT_set_to_infinity(group, r)) goto err; } else

[linux_CVE-2014-0077_1395914426_handle_rx.diff] handle_rx_OLD.c #1
/* On error, stop handling until the next kick. */ if (unlikely(headcount < 0)) break; + /* On overrun, truncate and discard */ + if (unlikely(headcount > UIO_MAXIOV)) { + msg.msg_iovlen = 1; + err = sock->ops->recvmsg(NULL, sock, &msg, + 1, MSG_DONTWAIT | MSG_TRUNC); + pr_debug("Discarded rx packet: len %zd\n", sock_len); + continue; + } /* OK, now we need to know about added descriptors. */ if (!headcount) { if (unlikely(vhost_enable_notify(&net->dev, vq))) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-0077_before_1mo_1392284525_handle_rx.c
35
36
37
38
39
40
41
42
43
44
vq_log = unlikely(vhost_has_feature(&net->dev, VHOST_F_LOG_ALL)) ? vq->log : NULL; mergeable = vhost_has_feature(&net->dev, VIRTIO_NET_F_MRG_RXBUF); while ((sock_len = peek_head_len(sock->sk))) { sock_len += sock_hlen; vhost_len = sock_len + vhost_hlen; headcount = get_rx_bufs(vq, vq->heads, vhost_len, &in, vq_log, &log, likely(mergeable) ? UIO_MAXIOV : 1);
+ show +
45
46
47
48
49
50
/* On error, stop handling until the next kick. */ if (unlikely(headcount < 0)) break; /* OK, now we need to know about added descriptors. */ if (!headcount) { if (unlikely(vhost_enable_notify(&net->dev, vq))) {
+ show +
51
52
53
54
55
56
57
58
59
60
/* They have slipped one in as we were * doing that: check again. */ vhost_disable_notify(&net->dev, vq); continue; } /* Nothing new? Wait for eventfd to tell us * they refilled. */ break; } /* We don't need to be notified again. */

[qemu_CVE-2014-0142_1395835569_parallels_open.diff] parallels_open_OLD.c #1
bs->total_sectors = le32_to_cpu(ph.nb_sectors); s->tracks = le32_to_cpu(ph.tracks); + if (s->tracks == 0) { + error_setg(errp, "Invalid image: Zero sectors per track"); + ret = -EINVAL; + goto fail; + } s->catalog_size = le32_to_cpu(ph.catalog_entries); if (s->catalog_size > INT_MAX / 4) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-0142_before_imd_1395835568_parallels_open.c
13
14
15
16
17
18
19
20
21
22
goto fail; } if (memcmp(ph.magic, HEADER_MAGIC, 16) || (le32_to_cpu(ph.version) != HEADER_VERSION)) { error_setg(errp, "Image not in Parallels format"); ret = -EINVAL; goto fail; }
+ show +
23
24
25
26
27
28
bs->total_sectors = le32_to_cpu(ph.nb_sectors); s->tracks = le32_to_cpu(ph.tracks); s->catalog_size = le32_to_cpu(ph.catalog_entries); if (s->catalog_size > INT_MAX / 4) {
+ show +
29
30
31
32
33
34
35
36
37
38
error_setg(errp, "Catalog too large"); ret = -EFBIG; goto fail; } s->catalog_bitmap = g_malloc(s->catalog_size * 4); ret = bdrv_pread(bs->file, 64, s->catalog_bitmap, s->catalog_size * 4); if (ret < 0) { goto fail; }

[qemu_CVE-2014-0143_1395835566_qcow2_open.diff] qcow2_open_OLD.c #1
} /* read the level 1 table */ - if (header.l1_size > 0x2000000) { - /* 32 MB L1 table is enough for 2 PB images at 64k cluster size - * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */ + if (header.l1_size > QCOW_MAX_L1_SIZE) { error_setg(errp, "Active L1 table too large"); ret = -EFBIG; goto fail;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0143_before_imd_1395835564_qcow2_open.c
185
186
187
188
189
190
191
192
193
194
ret = -EINVAL; goto fail; } ret = validate_table_offset(bs, header.snapshots_offset, header.nb_snapshots, sizeof(QCowSnapshotHeader)); if (ret < 0) { error_setg(errp, "Invalid snapshot table offset"); goto fail;
+ show +
195
196
197
198
199
200
201
202
203
} /* read the level 1 table */ if (header.l1_size > 0x2000000) { /* 32 MB L1 table is enough for 2 PB images at 64k cluster size * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */ error_setg(errp, "Active L1 table too large"); ret = -EFBIG; goto fail;
+ show +
204
205
206
207
208
209
210
211
212
213
} s->l1_size = header.l1_size; l1_vm_state_index = size_to_l1(s, header.size); if (l1_vm_state_index > INT_MAX) { error_setg(errp, "Image is too big"); ret = -EFBIG; goto fail; } s->l1_vm_state_index = l1_vm_state_index;

[qemu_CVE-2014-0144_1395835546_qcow2_open.diff] qcow2_open_OLD.c #1
s->nb_snapshots = header.nb_snapshots; /* read the level 1 table */ + if (header.l1_size > 0x2000000) { + /* 32 MB L1 table is enough for 2 PB images at 64k cluster size + * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */ + error_setg(errp, "Active L1 table too large"); + ret = -EFBIG; + goto fail; + } s->l1_size = header.l1_size; l1_vm_state_index = size_to_l1(s, header.size);
.\cloneFuncs\totalClone\Type-1\CVE-2014-0144_before_imd_1395835545_qcow2_open.c
189
190
191
192
193
194
195
196
197
198
ret = validate_table_offset(bs, header.snapshots_offset, header.nb_snapshots, sizeof(QCowSnapshotHeader)); if (ret < 0) { error_setg(errp, "Invalid snapshot table offset"); goto fail; } s->snapshots_offset = header.snapshots_offset;
+ show +
199
200
201
202
203
204
s->nb_snapshots = header.nb_snapshots; /* read the level 1 table */ s->l1_size = header.l1_size; l1_vm_state_index = size_to_l1(s, header.size);
+ show +
205
206
207
208
209
210
211
212
213
214
if (l1_vm_state_index > INT_MAX) { error_setg(errp, "Image is too big"); ret = -EFBIG; goto fail; } s->l1_vm_state_index = l1_vm_state_index; /* the L1 table must contain at least enough entries to put header.size bytes */ if (s->l1_size < s->l1_vm_state_index) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-0143_before_1mo_1392644646_qcow2_open.c
135
136
137
138
139
140
141
142
143
144
s->l2_size = 1 << s->l2_bits; bs->total_sectors = header.size / 512; s->csize_shift = (62 - (s->cluster_bits - 8)); s->csize_mask = (1 << (s->cluster_bits - 8)) - 1; s->cluster_offset_mask = (1LL << s->csize_shift) - 1; s->refcount_table_offset = header.refcount_table_offset; s->refcount_table_size = header.refcount_table_clusters << (s->cluster_bits - 3); s->snapshots_offset = header.snapshots_offset;
+ show +
145
146
147
148
149
150
s->nb_snapshots = header.nb_snapshots; /* read the level 1 table */ s->l1_size = header.l1_size; l1_vm_state_index = size_to_l1(s, header.size);
+ show +
151
152
153
154
155
156
157
158
159
160
if (l1_vm_state_index > INT_MAX) { error_setg(errp, "Image is too big"); ret = -EFBIG; goto fail; } s->l1_vm_state_index = l1_vm_state_index; /* the L1 table must contain at least enough entries to put header.size bytes */ if (s->l1_size < s->l1_vm_state_index) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-0143_before_6mo_1380125330_qcow2_open.c
133
134
135
136
137
138
139
140
141
142
s->l2_size = 1 << s->l2_bits; bs->total_sectors = header.size / 512; s->csize_shift = (62 - (s->cluster_bits - 8)); s->csize_mask = (1 << (s->cluster_bits - 8)) - 1; s->cluster_offset_mask = (1LL << s->csize_shift) - 1; s->refcount_table_offset = header.refcount_table_offset; s->refcount_table_size = header.refcount_table_clusters << (s->cluster_bits - 3); s->snapshots_offset = header.snapshots_offset;
+ show +
143
144
145
146
147
148
s->nb_snapshots = header.nb_snapshots; /* read the level 1 table */ s->l1_size = header.l1_size; l1_vm_state_index = size_to_l1(s, header.size);
+ show +
149
150
151
152
153
154
155
156
157
158
if (l1_vm_state_index > INT_MAX) { error_setg(errp, "Image is too big"); ret = -EFBIG; goto fail; } s->l1_vm_state_index = l1_vm_state_index; /* the L1 table must contain at least enough entries to put header.size bytes */ if (s->l1_size < s->l1_vm_state_index) {

[qemu_CVE-2014-0144_1395835546_qcow2_open.diff] qcow2_open_OLD.c #2
ret = -EINVAL; goto fail; } + + ret = validate_table_offset(bs, header.l1_table_offset, + header.l1_size, sizeof(uint64_t)); + if (ret < 0) { + error_setg(errp, "Invalid L1 table offset"); + goto fail; + } s->l1_table_offset = header.l1_table_offset; + + if (s->l1_size > 0) { s->l1_table = g_malloc0( align_offset(s->l1_size * sizeof(uint64_t), 512));
.\cloneFuncs\totalClone\Type-1\CVE-2014-0144_before_imd_1395835545_qcow2_open.c
206
207
208
209
210
211
212
213
214
215
error_setg(errp, "Image is too big"); ret = -EFBIG; goto fail; } s->l1_vm_state_index = l1_vm_state_index; /* the L1 table must contain at least enough entries to put header.size bytes */ if (s->l1_size < s->l1_vm_state_index) { error_setg(errp, "L1 table is too small");
+ show +
216
217
218
219
220
221
222
ret = -EINVAL; goto fail; } s->l1_table_offset = header.l1_table_offset; if (s->l1_size > 0) { s->l1_table = g_malloc0( align_offset(s->l1_size * sizeof(uint64_t), 512));
+ show +
223
224
225
226
227
228
229
230
231
232
ret = bdrv_pread(bs->file, s->l1_table_offset, s->l1_table, s->l1_size * sizeof(uint64_t)); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read L1 table"); goto fail; } for(i = 0;i < s->l1_size; i++) { be64_to_cpus(&s->l1_table[i]); } }
.\cloneFuncs\totalClone\Type-3\CVE-2014-0143_before_1mo_1392644646_qcow2_open.c
152
153
154
155
156
157
158
159
160
161
error_setg(errp, "Image is too big"); ret = -EFBIG; goto fail; } s->l1_vm_state_index = l1_vm_state_index; /* the L1 table must contain at least enough entries to put header.size bytes */ if (s->l1_size < s->l1_vm_state_index) { error_setg(errp, "L1 table is too small");
+ show +
162
163
164
165
166
167
168
ret = -EINVAL; goto fail; } s->l1_table_offset = header.l1_table_offset; if (s->l1_size > 0) { s->l1_table = g_malloc0( align_offset(s->l1_size * sizeof(uint64_t), 512));
+ show +
169
170
171
172
173
174
175
176
177
178
ret = bdrv_pread(bs->file, s->l1_table_offset, s->l1_table, s->l1_size * sizeof(uint64_t)); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read L1 table"); goto fail; } for(i = 0;i < s->l1_size; i++) { be64_to_cpus(&s->l1_table[i]); } }
.\cloneFuncs\totalClone\Type-3\CVE-2014-0143_before_6mo_1380125330_qcow2_open.c
150
151
152
153
154
155
156
157
158
159
error_setg(errp, "Image is too big"); ret = -EFBIG; goto fail; } s->l1_vm_state_index = l1_vm_state_index; /* the L1 table must contain at least enough entries to put header.size bytes */ if (s->l1_size < s->l1_vm_state_index) { error_setg(errp, "L1 table is too small");
+ show +
160
161
162
163
164
165
166
ret = -EINVAL; goto fail; } s->l1_table_offset = header.l1_table_offset; if (s->l1_size > 0) { s->l1_table = g_malloc0( align_offset(s->l1_size * sizeof(uint64_t), 512));
+ show +
167
168
169
170
171
172
173
174
175
176
ret = bdrv_pread(bs->file, s->l1_table_offset, s->l1_table, s->l1_size * sizeof(uint64_t)); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read L1 table"); goto fail; } for(i = 0;i < s->l1_size; i++) { be64_to_cpus(&s->l1_table[i]); } }

[qemu_CVE-2014-0146_1395835564_qcow2_open.diff] qcow2_open_OLD.c #2
bs->backing_file[len] = '\0'; } + /* Internal snapshots */ + s->snapshots_offset = header.snapshots_offset; + s->nb_snapshots = header.nb_snapshots; + ret = qcow2_read_snapshots(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read snapshots");
.\cloneFuncs\totalClone\Type-1\CVE-2014-0144_before_imd_1395835545_qcow2_open.c
264
265
266
267
268
269
270
271
272
273
len = header.backing_file_size; if (len > 1023) { len = 1023; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read backing file name"); goto fail; }
+ show +
274
275
276
277
278
279
bs->backing_file[len] = '\0'; } ret = qcow2_read_snapshots(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read snapshots");
+ show +
280
281
282
283
284
285
286
287
288
289
goto fail; } /* Clear unknown autoclear feature bits */ if (!bs->read_only && !(flags & BDRV_O_INCOMING) && s->autoclear_features) { s->autoclear_features = 0; ret = qcow2_update_header(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not update qcow2 header"); goto fail;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0146_before_imd_1395835550_qcow2_open.c
281
282
283
284
285
286
287
288
289
290
error_setg(errp, "Backing file name too long"); ret = -EINVAL; goto fail; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read backing file name"); goto fail; }
+ show +
291
292
293
294
295
296
bs->backing_file[len] = '\0'; } ret = qcow2_read_snapshots(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read snapshots");
+ show +
297
298
299
300
301
302
303
304
305
306
goto fail; } /* Clear unknown autoclear feature bits */ if (!bs->read_only && !(flags & BDRV_O_INCOMING) && s->autoclear_features) { s->autoclear_features = 0; ret = qcow2_update_header(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not update qcow2 header"); goto fail;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0143_before_1mo_1392644646_qcow2_open.c
210
211
212
213
214
215
216
217
218
219
len = header.backing_file_size; if (len > 1023) { len = 1023; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read backing file name"); goto fail; }
+ show +
220
221
222
223
224
225
bs->backing_file[len] = '\0'; } ret = qcow2_read_snapshots(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read snapshots");
+ show +
226
227
228
229
230
231
232
233
234
235
goto fail; } /* Clear unknown autoclear feature bits */ if (!bs->read_only && s->autoclear_features != 0) { s->autoclear_features = 0; ret = qcow2_update_header(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not update qcow2 header"); goto fail;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0143_before_6mo_1380125330_qcow2_open.c
208
209
210
211
212
213
214
215
216
217
len = header.backing_file_size; if (len > 1023) { len = 1023; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read backing file name"); goto fail; }
+ show +
218
219
220
221
222
223
bs->backing_file[len] = '\0'; } ret = qcow2_read_snapshots(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read snapshots");
+ show +
224
225
226
227
228
229
230
231
232
233
goto fail; } /* Clear unknown autoclear feature bits */ if (!bs->read_only && s->autoclear_features != 0) { s->autoclear_features = 0; ret = qcow2_update_header(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not update qcow2 header"); goto fail;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0144_after_imd_1395835547_qcow2_open.c
283
284
285
286
287
288
289
290
291
292
error_setg(errp, "Backing file name too long"); ret = -EINVAL; goto fail; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read backing file name"); goto fail; }
+ show +
293
294
295
296
297
298
bs->backing_file[len] = '\0'; } ret = qcow2_read_snapshots(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read snapshots");
+ show +
299
300
301
302
303
304
305
306
307
308
goto fail; } /* Clear unknown autoclear feature bits */ if (!bs->read_only && !(flags & BDRV_O_INCOMING) && s->autoclear_features) { s->autoclear_features = 0; ret = qcow2_update_header(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not update qcow2 header"); goto fail;

[qemu_CVE-2014-0145_1395835565_qcow2_snapshot_load_tmp.diff] qcow2_snapshot_load_tmp_OLD.c #1
sn = &s->snapshots[snapshot_index]; /* Allocate and read in the snapshot's L1 table */ - new_l1_bytes = s->l1_size * sizeof(uint64_t); + new_l1_bytes = sn->l1_size * sizeof(uint64_t); new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512)); ret = bdrv_pread(bs->file, sn->l1_table_offset, new_l1_table, new_l1_bytes);
.\cloneFuncs\totalClone\Type-1\CVE-2014-0145_before_1mo_1392234384_qcow2_snapshot_load_tmp.c
12
13
14
15
16
17
18
19
20
21
assert(bs->read_only); /* Search the snapshot */ snapshot_index = find_snapshot_by_id_and_name(bs, snapshot_id, name); if (snapshot_index < 0) { error_setg(errp, "Can't find snapshot"); return -ENOENT; }
+ show +
22
23
24
25
26
27
28
sn = &s->snapshots[snapshot_index]; /* Allocate and read in the snapshot's L1 table */ new_l1_bytes = s->l1_size * sizeof(uint64_t); new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512)); ret = bdrv_pread(bs->file, sn->l1_table_offset, new_l1_table, new_l1_bytes);
+ show +
29
30
31
32
33
34
35
36
37
38
if (ret < 0) { error_setg(errp, "Failed to read l1 table for snapshot"); g_free(new_l1_table); return ret; } /* Switch the L1 table */ g_free(s->l1_table); s->l1_size = sn->l1_size;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0145_before_6mo_1379586555_qcow2_snapshot_load_tmp.c
7
8
9
10
11
12
13
14
15
16
int new_l1_bytes; int ret; assert(bs->read_only); /* Search the snapshot */ snapshot_index = find_snapshot_by_id_or_name(bs, snapshot_name); if (snapshot_index < 0) { return -ENOENT; }
+ show +
17
18
19
20
21
22
23
sn = &s->snapshots[snapshot_index]; /* Allocate and read in the snapshot's L1 table */ new_l1_bytes = s->l1_size * sizeof(uint64_t); new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512)); ret = bdrv_pread(bs->file, sn->l1_table_offset, new_l1_table, new_l1_bytes);
+ show +
24
25
26
27
28
29
30
31
32
33
if (ret < 0) { g_free(new_l1_table); return ret; } /* Switch the L1 table */ g_free(s->l1_table); s->l1_size = sn->l1_size; s->l1_table_offset = sn->l1_table_offset;

[qemu_CVE-2014-0146_1395835564_qcow2_open.diff] qcow2_open_OLD.c #1
goto fail; } - s->snapshots_offset = header.snapshots_offset; - s->nb_snapshots = header.nb_snapshots; - /* read the level 1 table */ if (header.l1_size > 0x2000000) { /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
.\cloneFuncs\totalClone\Type-1\CVE-2014-0146_before_imd_1395835550_qcow2_open.c
184
185
186
187
188
189
190
191
192
193
error_setg(errp, "Too many snapshots"); ret = -EINVAL; goto fail; } ret = validate_table_offset(bs, header.snapshots_offset, header.nb_snapshots, sizeof(QCowSnapshotHeader)); if (ret < 0) { error_setg(errp, "Invalid snapshot table offset");
+ show +
194
195
196
197
198
199
200
201
202
goto fail; } s->snapshots_offset = header.snapshots_offset; s->nb_snapshots = header.nb_snapshots; /* read the level 1 table */ if (header.l1_size > 0x2000000) { /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
+ show +
203
204
205
206
207
208
209
210
211
212
* (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */ error_setg(errp, "Active L1 table too large"); ret = -EFBIG; goto fail; } s->l1_size = header.l1_size; l1_vm_state_index = size_to_l1(s, header.size); if (l1_vm_state_index > INT_MAX) { error_setg(errp, "Image is too big");
.\cloneFuncs\totalClone\Type-3\CVE-2014-0144_after_imd_1395835547_qcow2_open.c
186
187
188
189
190
191
192
193
194
195
error_setg(errp, "Too many snapshots"); ret = -EINVAL; goto fail; } ret = validate_table_offset(bs, header.snapshots_offset, header.nb_snapshots, sizeof(QCowSnapshotHeader)); if (ret < 0) { error_setg(errp, "Invalid snapshot table offset");
+ show +
196
197
198
199
200
201
202
203
204
goto fail; } s->snapshots_offset = header.snapshots_offset; s->nb_snapshots = header.nb_snapshots; /* read the level 1 table */ if (header.l1_size > 0x2000000) { /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
+ show +
205
206
207
208
209
210
211
212
213
214
* (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */ error_setg(errp, "Active L1 table too large"); ret = -EFBIG; goto fail; } s->l1_size = header.l1_size; l1_vm_state_index = size_to_l1(s, header.size); if (l1_vm_state_index > INT_MAX) { error_setg(errp, "Image is too big");

[qemu_CVE-2014-0147_1395835532_bochs_open.diff] bochs_open_OLD.c #1
Error **errp) { BDRVBochsState *s = bs->opaque; - int i; + uint32_t i; struct bochs_header bochs; int ret;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0147_before_imd_1395835531_bochs_open.c
1
static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
+ show +
2
3
4
5
6
7
Error **errp) { BDRVBochsState *s = bs->opaque; int i; struct bochs_header bochs; int ret;
+ show +
8
9
10
11
12
13
14
15
16
17
bs->read_only = 1; // no write support yet ret = bdrv_pread(bs->file, 0, &bochs, sizeof(bochs)); if (ret < 0) { return ret; } if (strcmp(bochs.magic, HEADER_MAGIC) || strcmp(bochs.type, REDOLOG_TYPE) ||

[qemu_CVE-2014-0148_1395835539_vhdx_parse_metadata.diff] vhdx_parse_metadata_OLD.c #1
le32_to_cpus(&s->logical_sector_size); le32_to_cpus(&s->physical_sector_size); - if (s->logical_sector_size == 0 || s->params.block_size == 0) { + if (s->params.block_size < VHDX_BLOCK_SIZE_MIN || + s->params.block_size > VHDX_BLOCK_SIZE_MAX) { ret = -EINVAL; goto exit; } - /* both block_size and sector_size are guaranteed powers of 2 */ + /* only 2 supported sector sizes */ + if (s->logical_sector_size != 512 && s->logical_sector_size != 4096) { + ret = -EINVAL; + goto exit; + } + + /* Both block_size and sector_size are guaranteed powers of 2, below. + Due to range checks above, s->sectors_per_block can never be < 256 */ s->sectors_per_block = s->params.block_size / s->logical_sector_size; s->chunk_ratio = (VHDX_MAX_SECTORS_PER_BLOCK) * (uint64_t)s->logical_sector_size /
.\cloneFuncs\totalClone\Type-1\CVE-2014-0148_before_1mo_1392744787_vhdx_parse_metadata.c
165
166
167
168
169
170
171
172
173
174
ret = bdrv_pread(bs->file, s->metadata_entries.phys_sector_size_entry.offset + s->metadata_rt.file_offset, &s->physical_sector_size, sizeof(uint32_t)); if (ret < 0) { goto exit; } le64_to_cpus(&s->virtual_disk_size);
+ show +
175
176
177
178
179
180
181
182
183
184
185
186
le32_to_cpus(&s->logical_sector_size); le32_to_cpus(&s->physical_sector_size); if (s->logical_sector_size == 0 || s->params.block_size == 0) { ret = -EINVAL; goto exit; } /* both block_size and sector_size are guaranteed powers of 2 */ s->sectors_per_block = s->params.block_size / s->logical_sector_size; s->chunk_ratio = (VHDX_MAX_SECTORS_PER_BLOCK) * (uint64_t)s->logical_sector_size /
+ show +
187
188
189
190
191
192
193
194
195
196
(uint64_t)s->params.block_size; /* These values are ones we will want to use for division / multiplication * later on, and they are all guaranteed (per the spec) to be powers of 2, * so we can take advantage of that for shift operations during * reads/writes */ if (s->logical_sector_size & (s->logical_sector_size - 1)) { ret = -EINVAL; goto exit; }
.\cloneFuncs\totalClone\Type-3\CVE-2014-0148_before_6mo_1378383749_vhdx_parse_metadata.c
171
172
173
174
175
176
177
178
179
180
ret = bdrv_pread(bs->file, s->metadata_entries.phys_sector_size_entry.offset + s->metadata_rt.file_offset, &s->physical_sector_size, sizeof(uint32_t)); if (ret < 0) { goto exit; } le64_to_cpus(&s->virtual_disk_size);
+ show +
181
182
183
184
185
186
187
188
189
190
191
192
le32_to_cpus(&s->logical_sector_size); le32_to_cpus(&s->physical_sector_size); if (s->logical_sector_size == 0 || s->params.block_size == 0) { ret = -EINVAL; goto exit; } /* both block_size and sector_size are guaranteed powers of 2 */ s->sectors_per_block = s->params.block_size / s->logical_sector_size; s->chunk_ratio = (VHDX_MAX_SECTORS_PER_BLOCK) * (uint64_t)s->logical_sector_size /
+ show +
193
194
195
196
197
198
199
200
201
202
(uint64_t)s->params.block_size; /* These values are ones we will want to use for division / multiplication * later on, and they are all guaranteed (per the spec) to be powers of 2, * so we can take advantage of that for shift operations during * reads/writes */ if (s->logical_sector_size & (s->logical_sector_size - 1)) { ret = -EINVAL; goto exit; }

[qemu_CVE-2014-0150_1397218688_virtio_net_handle_mac.diff] virtio_net_handle_mac_OLD.c #1
goto error; } - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) { + if (mac_data.entries <= MAC_TABLE_ENTRIES - in_use) { s = iov_to_buf(iov, iov_cnt, 0, &macs[in_use * ETH_ALEN], mac_data.entries * ETH_ALEN); if (s != mac_data.entries * ETH_ALEN) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-0150_before_1mo_1392077522_virtio_net_handle_mac.c
57
58
59
60
61
62
63
64
65
66
s = iov_to_buf(iov, iov_cnt, 0, &mac_data.entries, sizeof(mac_data.entries)); mac_data.entries = ldl_p(&mac_data.entries); if (s != sizeof(mac_data.entries)) { goto error; } iov_discard_front(&iov, &iov_cnt, s); if (mac_data.entries * ETH_ALEN != iov_size(iov, iov_cnt)) {
+ show +
67
68
69
70
71
72
73
goto error; } if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) { s = iov_to_buf(iov, iov_cnt, 0, &macs[in_use * ETH_ALEN], mac_data.entries * ETH_ALEN); if (s != mac_data.entries * ETH_ALEN) {
+ show +
74
75
76
77
78
79
80
81
82
83
goto error; } in_use += mac_data.entries; } else { multi_overflow = 1; } n->mac_table.in_use = in_use; n->mac_table.first_multi = first_multi; n->mac_table.uni_overflow = uni_overflow;

[linux_CVE-2014-0155_1396035710_ioapic_service.diff] ioapic_service_OLD.c #1
BUG_ON(ioapic->rtc_status.pending_eoi != 0); ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, ioapic->rtc_status.dest_map); - ioapic->rtc_status.pending_eoi = ret; + ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret); } else ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
.\cloneFuncs\totalClone\Type-1\CVE-2014-0155_before_imd_1395139163_ioapic_service.c
18
19
20
21
22
23
24
25
26
27
irqe.dest_mode = entry->fields.dest_mode; irqe.trig_mode = entry->fields.trig_mode; irqe.delivery_mode = entry->fields.delivery_mode << 8; irqe.level = 1; irqe.shorthand = 0; if (irqe.trig_mode == IOAPIC_EDGE_TRIG) ioapic->irr &= ~(1 << irq); if (irq == RTC_GSI && line_status) {
+ show +
28
29
30
31
32
33
BUG_ON(ioapic->rtc_status.pending_eoi != 0); ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, ioapic->rtc_status.dest_map); ioapic->rtc_status.pending_eoi = ret; } else ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
+ show +
34
35
36
37
38
39
if (ret && irqe.trig_mode == IOAPIC_LEVEL_TRIG) entry->fields.remote_irr = 1; return ret; }

[openssl_CVE-2014-0160_1396741866_tls1_process_heartbeat.diff] tls1_process_heartbeat_OLD.c #1
unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ - /* Read type and payload length first */ - hbtype = *p++; - n2s(p, payload); - pl = p; - if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, &s->s3->rrec.data[0], s->s3->rrec.length, s, s->msg_callback_arg); + /* Read type and payload length first */ + if (1 + 2 + 16 > s->s3->rrec.length) + return 0; /* silently discard */ + hbtype = *p++; + n2s(p, payload); + if (1 + 2 + payload + 16 > s->s3->rrec.length) + return 0; /* silently discard per RFC 6520 sec. 4 */ + pl = p; + if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0160_before_1mo_1392920651_tls1_process_heartbeat.c
1
2
3
4
5
int tls1_process_heartbeat(SSL *s) { unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned short hbtype;
+ show +
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p; if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, &s->s3->rrec.data[0], s->s3->rrec.length, s, s->msg_callback_arg); if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp;
+ show +
22
23
24
25
26
27
28
29
30
31
int r; /* Allocate memory for the response, size is 1 bytes * message type, plus 2 bytes payload length, plus * payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; /* Enter response type, length and copy payload */

[linux_CVE-2014-0181_1401473040_netlink_sendmsg.diff] netlink_sendmsg_OLD.c #1
struct sk_buff *skb; int err; struct scm_cookie scm; + u32 netlink_skb_flags = 0; if (msg->msg_flags&MSG_OOB) return -EOPNOTSUPP;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0181_before_1mo_1398288348_netlink_sendmsg.c
1
2
3
4
5
6
7
8
9
static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, struct msghdr *msg, size_t len) { struct sock_iocb *siocb = kiocb_to_siocb(kiocb); struct sock *sk = sock->sk; struct netlink_sock *nlk = nlk_sk(sk); DECLARE_SOCKADDR(struct sockaddr_nl *, addr, msg->msg_name); u32 dst_portid; u32 dst_group;
+ show +
10
11
12
13
14
15
struct sk_buff *skb; int err; struct scm_cookie scm; if (msg->msg_flags&MSG_OOB) return -EOPNOTSUPP;
+ show +
16
17
18
19
20
21
22
23
24
25
if (NULL == siocb->scm) siocb->scm = &scm; err = scm_send(sock, msg, siocb->scm, true); if (err < 0) return err; if (msg->msg_namelen) { err = -EINVAL;
.\cloneFuncs\totalClone\Type-2\CVE-2014-0181_before_6mo_1385000062_netlink_sendmsg.c
1
2
3
4
5
6
7
8
9
static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, struct msghdr *msg, size_t len) { struct sock_iocb *siocb = kiocb_to_siocb(kiocb); struct sock *sk = sock->sk; struct netlink_sock *nlk = nlk_sk(sk); struct sockaddr_nl *addr = msg->msg_name; u32 dst_portid; u32 dst_group;
+ show +
10
11
12
13
14
15
struct sk_buff *skb; int err; struct scm_cookie scm; if (msg->msg_flags&MSG_OOB) return -EOPNOTSUPP;
+ show +
16
17
18
19
20
21
22
23
24
25
if (NULL == siocb->scm) siocb->scm = &scm; err = scm_send(sock, msg, siocb->scm, true); if (err < 0) return err; if (msg->msg_namelen) { err = -EINVAL;

[linux_CVE-2014-0181_1401473040_netlink_sendmsg.diff] netlink_sendmsg_OLD.c #2
if ((dst_group || dst_portid) && !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND)) goto out; + netlink_skb_flags |= NETLINK_SKB_DST; } else { dst_portid = nlk->dst_portid; dst_group = nlk->dst_group;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0181_before_1mo_1398288348_netlink_sendmsg.c
21
22
23
24
25
26
27
28
29
30
if (err < 0) return err; if (msg->msg_namelen) { err = -EINVAL; if (addr->nl_family != AF_NETLINK) goto out; dst_portid = addr->nl_pid; dst_group = ffs(addr->nl_groups); err = -EPERM;
+ show +
31
32
33
34
35
36
if ((dst_group || dst_portid) && !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND)) goto out; } else { dst_portid = nlk->dst_portid; dst_group = nlk->dst_group;
+ show +
37
38
39
40
41
42
43
44
45
46
} if (!nlk->portid) { err = netlink_autobind(sock); if (err) goto out; } if (netlink_tx_is_mmaped(sk) && msg->msg_iov->iov_base == NULL) {

[linux_CVE-2014-0181_1401473040_netlink_sendmsg.diff] netlink_sendmsg_OLD.c #3
NETLINK_CB(skb).portid = nlk->portid; NETLINK_CB(skb).dst_group = dst_group; NETLINK_CB(skb).creds = siocb->scm->creds; + NETLINK_CB(skb).flags = netlink_skb_flags; err = -EFAULT; if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-0181_before_1mo_1398288348_netlink_sendmsg.c
50
51
52
53
54
55
56
57
58
59
} err = -EMSGSIZE; if (len > sk->sk_sndbuf - 32) goto out; err = -ENOBUFS; skb = netlink_alloc_large_skb(len, dst_group); if (skb == NULL) goto out;
+ show +
60
61
62
63
64
65
NETLINK_CB(skb).portid = nlk->portid; NETLINK_CB(skb).dst_group = dst_group; NETLINK_CB(skb).creds = siocb->scm->creds; err = -EFAULT; if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
+ show +
66
67
68
69
70
71
72
73
74
75
kfree_skb(skb); goto out; } err = security_netlink_send(sk, skb); if (err) { kfree_skb(skb); goto out; }
.\cloneFuncs\totalClone\Type-2\CVE-2014-0181_before_6mo_1385000062_netlink_sendmsg.c
50
51
52
53
54
55
56
57
58
59
} err = -EMSGSIZE; if (len > sk->sk_sndbuf - 32) goto out; err = -ENOBUFS; skb = netlink_alloc_large_skb(len, dst_group); if (skb == NULL) goto out;
+ show +
60
61
62
63
64
65
NETLINK_CB(skb).portid = nlk->portid; NETLINK_CB(skb).dst_group = dst_group; NETLINK_CB(skb).creds = siocb->scm->creds; err = -EFAULT; if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
+ show +
66
67
68
69
70
71
72
73
74
75
kfree_skb(skb); goto out; } err = security_netlink_send(sk, skb); if (err) { kfree_skb(skb); goto out; }

[openssl_CVE-2014-3506_1402089952_dtls1_reassemble_fragment.diff] dtls1_reassemble_fragment_OLD.c #1
pitem *item = NULL; int i = -1, is_complete; unsigned char seq64be[8]; - unsigned long frag_len = msg_hdr->frag_len, max_len; + unsigned long frag_len = msg_hdr->frag_len; - if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) - goto err; - - /* Determine maximum allowed message size. Depends on (user set) - * maximum certificate length, but 16k is minimum. - */ - if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) - max_len = s->max_cert_list; - else - max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; - - if ((msg_hdr->frag_off+frag_len) > max_len) + if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len || + msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) goto err; /* Try to find item in queue */
.\cloneFuncs\totalClone\Type-1\CVE-2014-0195_after_imd_1402408049_dtls1_reassemble_fragment.c
1
2
3
4
static int dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) { hm_fragment *frag = NULL;
+ show +
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pitem *item = NULL; int i = -1, is_complete; unsigned char seq64be[8]; unsigned long frag_len = msg_hdr->frag_len, max_len; if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; /* Determine maximum allowed message size. Depends on (user set) * maximum certificate length, but 16k is minimum. */ if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) max_len = s->max_cert_list; else max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; if ((msg_hdr->frag_off+frag_len) > max_len) goto err; /* Try to find item in queue */
+ show +
25
26
27
28
29
30
31
32
33
34
memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char) (msg_hdr->seq>>8); seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); if (item == NULL) { frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); if ( frag == NULL) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0195_before_imd_1400241645_dtls1_reassemble_fragment.c
1
2
3
4
static int dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) { hm_fragment *frag = NULL;
+ show +
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pitem *item = NULL; int i = -1, is_complete; unsigned char seq64be[8]; unsigned long frag_len = msg_hdr->frag_len, max_len; if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; /* Determine maximum allowed message size. Depends on (user set) * maximum certificate length, but 16k is minimum. */ if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) max_len = s->max_cert_list; else max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; if ((msg_hdr->frag_off+frag_len) > max_len) goto err; /* Try to find item in queue */
+ show +
25
26
27
28
29
30
31
32
33
34
memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char) (msg_hdr->seq>>8); seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); if (item == NULL) { frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); if ( frag == NULL) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3506_before_imd_1406241214_dtls1_reassemble_fragment.c
1
2
3
4
static int dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) { hm_fragment *frag = NULL;
+ show +
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pitem *item = NULL; int i = -1, is_complete; unsigned char seq64be[8]; unsigned long frag_len = msg_hdr->frag_len, max_len; if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; /* Determine maximum allowed message size. Depends on (user set) * maximum certificate length, but 16k is minimum. */ if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) max_len = s->max_cert_list; else max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; if ((msg_hdr->frag_off+frag_len) > max_len) goto err; /* Try to find item in queue */
+ show +
25
26
27
28
29
30
31
32
33
34
memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char) (msg_hdr->seq>>8); seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); if (item == NULL) { frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); if ( frag == NULL) goto err;
.\cloneFuncs\totalClone\Type-2\CVE-2014-0195_before_1mo_1396741866_dtls1_reassemble_fragment.c
1
2
3
4
static int dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) { hm_fragment *frag = NULL;
+ show +
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pitem *item = NULL; int i = -1, is_complete; unsigned char seq64be[8]; unsigned long frag_len = msg_hdr->frag_len, max_len; if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; /* Determine maximum allowed message size. Depends on (user set) * maximum certificate length, but 16k is minimum. */ if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) max_len = s->max_cert_list; else max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; if ((msg_hdr->frag_off+frag_len) > max_len) goto err; /* Try to find item in queue */
+ show +
25
26
27
28
29
30
31
32
33
34
memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char) (msg_hdr->seq>>8); seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); if (item == NULL) { frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); if ( frag == NULL) goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0195_after_1mo_1402089561_dtls1_reassemble_fragment.c
1
2
3
4
static int dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) { hm_fragment *frag = NULL;
+ show +
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pitem *item = NULL; int i = -1, is_complete; unsigned char seq64be[8]; unsigned long frag_len = msg_hdr->frag_len, max_len; if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; /* Determine maximum allowed message size. Depends on (user set) * maximum certificate length, but 16k is minimum. */ if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) max_len = s->max_cert_list; else max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; if ((msg_hdr->frag_off+frag_len) > max_len) goto err; /* Try to find item in queue */
+ show +
25
26
27
28
29
30
31
32
33
34
memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char) (msg_hdr->seq>>8); seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); if (item == NULL) { frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); if ( frag == NULL) goto err;

[openssl_CVE-2014-3507_1402090233_dtls1_reassemble_fragment.diff] dtls1_reassemble_fragment_OLD.c #2
goto err; } - pqueue_insert(s->d1->buffered_messages, item); + item = pqueue_insert(s->d1->buffered_messages, item); + /* pqueue_insert fails iff a duplicate item is inserted. + * However, |item| cannot be a duplicate. If it were, + * |pqueue_find|, above, would have returned it and control + * would never have reached this branch. */ + OPENSSL_assert(item != NULL); } return DTLS1_HM_FRAGMENT_RETRY;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0195_after_imd_1402408049_dtls1_reassemble_fragment.c
87
88
89
90
91
92
93
94
95
96
if (item == NULL) { memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); seq64be[7] = (unsigned char)(msg_hdr->seq); item = pitem_new(seq64be, frag); if (item == NULL) { i = -1;
+ show +
97
98
99
100
101
102
103
goto err; } pqueue_insert(s->d1->buffered_messages, item); } return DTLS1_HM_FRAGMENT_RETRY;
+ show +
104
105
106
107
108
109
110
err: if (frag != NULL) dtls1_hm_fragment_free(frag); if (item != NULL) OPENSSL_free(item); *ok = 0; return i; }
.\cloneFuncs\totalClone\Type-1\CVE-2014-0195_before_imd_1400241645_dtls1_reassemble_fragment.c
78
79
80
81
82
83
84
85
86
87
if (item == NULL) { memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); seq64be[7] = (unsigned char)(msg_hdr->seq); item = pitem_new(seq64be, frag); if (item == NULL) { i = -1;
+ show +
88
89
90
91
92
93
94
goto err; } pqueue_insert(s->d1->buffered_messages, item); } return DTLS1_HM_FRAGMENT_RETRY;
+ show +
95
96
97
98
99
100
101
err: if (frag != NULL) dtls1_hm_fragment_free(frag); if (item != NULL) OPENSSL_free(item); *ok = 0; return i; }
.\cloneFuncs\totalClone\Type-1\CVE-2014-3506_before_imd_1406241214_dtls1_reassemble_fragment.c
88
89
90
91
92
93
94
95
96
97
if (item == NULL) { memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); seq64be[7] = (unsigned char)(msg_hdr->seq); item = pitem_new(seq64be, frag); if (item == NULL) { i = -1;
+ show +
98
99
100
101
102
103
104
goto err; } pqueue_insert(s->d1->buffered_messages, item); } return DTLS1_HM_FRAGMENT_RETRY;
+ show +
105
106
107
108
109
110
err: if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; }
.\cloneFuncs\totalClone\Type-1\CVE-2014-3507_before_imd_1402089952_dtls1_reassemble_fragment.c
78
79
80
81
82
83
84
85
86
87
if (item == NULL) { memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); seq64be[7] = (unsigned char)(msg_hdr->seq); item = pitem_new(seq64be, frag); if (item == NULL) { i = -1;
+ show +
88
89
90
91
92
93
94
goto err; } pqueue_insert(s->d1->buffered_messages, item); } return DTLS1_HM_FRAGMENT_RETRY;
+ show +
95
96
97
98
99
100
err: if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; }
.\cloneFuncs\totalClone\Type-3\CVE-2014-0195_after_1mo_1402089561_dtls1_reassemble_fragment.c
87
88
89
90
91
92
93
94
95
96
if (item == NULL) { memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); seq64be[7] = (unsigned char)(msg_hdr->seq); item = pitem_new(seq64be, frag); if (item == NULL) { i = -1;
+ show +
97
98
99
100
101
102
103
goto err; } pqueue_insert(s->d1->buffered_messages, item); } return DTLS1_HM_FRAGMENT_RETRY;
+ show +
104
105
106
107
108
109
err: if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; }

[openssl_CVE-2014-0195_1400003311_dtls1_reassemble_fragment.diff] dtls1_reassemble_fragment_OLD.c #1
frag->msg_header.frag_off = 0; } else + { frag = (hm_fragment*) item->data; + if (frag->msg_header.msg_len != msg_hdr->msg_len) + { + item = NULL; + frag = NULL; + goto err; + } + } + /* If message is already reassembled, this must be a * retransmit and can be dropped.
.\cloneFuncs\totalClone\Type-1\CVE-2014-0195_before_imd_1400241645_dtls1_reassemble_fragment.c
27
28
29
30
31
32
33
34
35
36
seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); if (item == NULL) { frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); if ( frag == NULL) goto err; memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); frag->msg_header.frag_len = frag->msg_header.msg_len;
+ show +
37
38
39
40
41
42
43
frag->msg_header.frag_off = 0; } else frag = (hm_fragment*) item->data; /* If message is already reassembled, this must be a * retransmit and can be dropped.
+ show +
44
45
46
47
48
49
50
51
52
53
*/ if (frag->reassembly == NULL) { unsigned char devnull [256]; while (frag_len) { i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, devnull, frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
.\cloneFuncs\totalClone\Type-2\CVE-2014-0195_before_1mo_1396741866_dtls1_reassemble_fragment.c
27
28
29
30
31
32
33
34
35
36
seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); if (item == NULL) { frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); if ( frag == NULL) goto err; memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); frag->msg_header.frag_len = frag->msg_header.msg_len;
+ show +
37
38
39
40
41
42
43
frag->msg_header.frag_off = 0; } else frag = (hm_fragment*) item->data; /* If message is already reassembled, this must be a * retransmit and can be dropped.
+ show +
44
45
46
47
48
49
50
51
52
53
*/ if (frag->reassembly == NULL) { unsigned char devnull [256]; while (frag_len) { i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, devnull, frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);

[linux_CVE-2014-0196_1399118699_n_tty_write.diff] n_tty_write_OLD.c #1
if (tty->ops->flush_chars) tty->ops->flush_chars(tty); } else { + struct n_tty_data *ldata = tty->disc_data; + while (nr > 0) { + mutex_lock(&ldata->output_lock); c = tty->ops->write(tty, b, nr); + mutex_unlock(&ldata->output_lock); if (c < 0) { retval = c; goto break_out;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0196_before_1mo_1392154495_n_tty_write.c
40
41
42
43
44
45
46
47
48
49
} b += num; nr -= num; if (nr == 0) break; c = *b; if (process_output(c, tty) < 0) break; b++; nr--; }
+ show +
50
51
52
53
54
55
56
57
if (tty->ops->flush_chars) tty->ops->flush_chars(tty); } else { while (nr > 0) { c = tty->ops->write(tty, b, nr); if (c < 0) { retval = c; goto break_out;
+ show +
58
59
60
61
62
63
64
65
66
67
} if (!c) break; b += c; nr -= c; } } if (!nr) break; if (file->f_flags & O_NONBLOCK) {

[linux_CVE-2014-0206_1403631171_aio_read_events_ring.diff] aio_read_events_ring_OLD.c #1
if (head == tail) goto out; + head %= ctx->nr_events; + tail %= ctx->nr_events; + while (ret < nr) { long avail; struct io_event *ev;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0206_before_imd_1403629975_aio_read_events_ring.c
9
10
11
12
13
14
15
16
17
18
mutex_lock(&ctx->ring_lock); /* Access to ->ring_pages here is protected by ctx->ring_lock. */ ring = kmap_atomic(ctx->ring_pages[0]); head = ring->head; tail = ring->tail; kunmap_atomic(ring); pr_debug("h%u t%u m%u\n", head, tail, ctx->nr_events);
+ show +
19
20
21
22
23
24
if (head == tail) goto out; while (ret < nr) { long avail; struct io_event *ev;
+ show +
25
26
27
28
29
30
31
32
33
34
struct page *page; avail = (head <= tail ? tail : ctx->nr_events) - head; if (head == tail) break; avail = min(avail, nr - ret); avail = min_t(long, avail, AIO_EVENTS_PER_PAGE - ((head + AIO_EVENTS_OFFSET) % AIO_EVENTS_PER_PAGE));
.\cloneFuncs\totalClone\Type-3\CVE-2014-0206_before_1mo_1392161861_aio_read_events_ring.c
9
10
11
12
13
14
15
16
17
18
mutex_lock(&ctx->ring_lock); /* Access to ->ring_pages here is protected by ctx->ring_lock. */ ring = kmap_atomic(ctx->ring_pages[0]); head = ring->head; tail = ring->tail; kunmap_atomic(ring); pr_debug("h%u t%u m%u\n", head, tail, ctx->nr_events);
+ show +
19
20
21
22
23
24
if (head == tail) goto out; while (ret < nr) { long avail; struct io_event *ev;
+ show +
25
26
27
28
29
30
31
32
33
34
struct page *page; avail = (head <= tail ? tail : ctx->nr_events) - head; if (head == tail) break; avail = min(avail, nr - ret); avail = min_t(long, avail, AIO_EVENTS_PER_PAGE - ((head + AIO_EVENTS_OFFSET) % AIO_EVENTS_PER_PAGE));
.\cloneFuncs\totalClone\Type-3\CVE-2014-0206_before_6mo_1387739029_aio_read_events_ring.c
8
9
10
11
12
13
14
15
16
17
mutex_lock(&ctx->ring_lock); ring = kmap_atomic(ctx->ring_pages[0]); head = ring->head; tail = ring->tail; kunmap_atomic(ring); pr_debug("h%u t%u m%u\n", head, tail, ctx->nr_events);
+ show +
18
19
20
21
22
23
if (head == tail) goto out; while (ret < nr) { long avail; struct io_event *ev;
+ show +
24
25
26
27
28
29
30
31
32
33
struct page *page; avail = (head <= tail ? tail : ctx->nr_events) - head; if (head == tail) break; avail = min(avail, nr - ret); avail = min_t(long, avail, AIO_EVENTS_PER_PAGE - ((head + AIO_EVENTS_OFFSET) % AIO_EVENTS_PER_PAGE));

[openssl_CVE-2014-0221_1400241645_dtls1_get_message_fragment.diff] dtls1_get_message_fragment_OLD.c #1
int i,al; struct hm_header_st msg_hdr; + redo: /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-0221_before_1mo_1396741866_dtls1_get_message_fragment.c
1
2
3
4
5
static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) { unsigned char wire[DTLS1_HM_HEADER_LENGTH]; unsigned long len, frag_off, frag_len;
+ show +
6
7
8
9
10
11
int i,al; struct hm_header_st msg_hdr; /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) {
+ show +
12
13
14
15
16
17
18
19
20
21
if (*ok) s->init_num = frag_len; return frag_len; } /* read handshake message header */ i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,wire, DTLS1_HM_HEADER_LENGTH, 0); if (i <= 0) /* nbio, or an error */ { s->rwstate=SSL_READING;

[openssl_CVE-2014-0221_1400241645_dtls1_get_message_fragment.diff] dtls1_get_message_fragment_OLD.c #2
s->msg_callback_arg); s->init_num = 0; - return dtls1_get_message_fragment(s, st1, stn, - max, ok); + goto redo; } else /* Incorrectly formated Hello request */ {
.\cloneFuncs\totalClone\Type-1\CVE-2014-0221_before_1mo_1396741866_dtls1_get_message_fragment.c
54
55
56
57
58
59
60
61
62
63
{ /* The server may always send 'Hello Request' messages -- * we are doing a handshake anyway now, so ignore them * if their format is correct. Does not count for * 'Finished' MAC. */ if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, wire, DTLS1_HM_HEADER_LENGTH, s,
+ show +
64
65
66
67
68
69
70
71
s->msg_callback_arg); s->init_num = 0; return dtls1_get_message_fragment(s, st1, stn, max, ok); } else /* Incorrectly formated Hello request */ {
+ show +
72
73
74
75
76
77
78
79
80
81
al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE); goto f_err; } } if ((al=dtls1_preprocess_fragment(s,&msg_hdr,max))) goto f_err; /* XDTLS: ressurect this when restart is in place */

[qemu_CVE-2014-0222_1400163011_qcow_open.diff] qcow_open_OLD.c #1
goto fail; } + /* l2_bits specifies number of entries; storing a uint64_t in each entry, + * so bytes = num_entries << 3. */ + if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { + error_setg(errp, "L2 table size must be between 512 and 64k"); + ret = -EINVAL; + goto fail; + } + if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0222_before_imd_1399476630_qcow_open.c
34
35
36
37
38
39
40
41
42
43
} if (header.size <= 1) { error_setg(errp, "Image size is too small (must be at least 2 bytes)"); ret = -EINVAL; goto fail; } if (header.cluster_bits < 9 || header.cluster_bits > 16) { error_setg(errp, "Cluster size must be between 512 and 64k"); ret = -EINVAL;
+ show +
44
45
46
47
48
49
goto fail; } if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL;
+ show +
50
51
52
53
54
55
56
57
58
59
goto fail; } s->crypt_method_header = header.crypt_method; if (s->crypt_method_header) { bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0223_before_imd_1400163011_qcow_open.c
42
43
44
45
46
47
48
49
50
51
error_setg(errp, "Cluster size must be between 512 and 64k"); ret = -EINVAL; goto fail; } /* l2_bits specifies number of entries; storing a uint64_t in each entry, * so bytes = num_entries << 3. */ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { error_setg(errp, "L2 table size must be between 512 and 64k"); ret = -EINVAL;
+ show +
52
53
54
55
56
57
goto fail; } if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL;
+ show +
58
59
60
61
62
63
64
65
66
67
goto fail; } s->crypt_method_header = header.crypt_method; if (s->crypt_method_header) { bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0222_after_1mo_1401960051_qcow_open.c
43
44
45
46
47
48
49
50
51
52
error_setg(errp, "Cluster size must be between 512 and 64k"); ret = -EINVAL; goto fail; } /* l2_bits specifies number of entries; storing a uint64_t in each entry, * so bytes = num_entries << 3. */ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { error_setg(errp, "L2 table size must be between 512 and 64k"); ret = -EINVAL;
+ show +
53
54
55
56
57
58
goto fail; } if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL;
+ show +
59
60
61
62
63
64
65
66
67
68
goto fail; } s->crypt_method_header = header.crypt_method; if (s->crypt_method_header) { bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0222_after_6mo_1421931810_qcow_open.c
43
44
45
46
47
48
49
50
51
52
error_setg(errp, "Cluster size must be between 512 and 64k"); ret = -EINVAL; goto fail; } /* l2_bits specifies number of entries; storing a uint64_t in each entry, * so bytes = num_entries << 3. */ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { error_setg(errp, "L2 table size must be between 512 and 64k"); ret = -EINVAL;
+ show +
53
54
55
56
57
58
goto fail; } if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL;
+ show +
59
60
61
62
63
64
65
66
67
68
goto fail; } s->crypt_method_header = header.crypt_method; if (s->crypt_method_header) { bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0222_after_imd_1399547300_qcow_open.c
42
43
44
45
46
47
48
49
50
51
error_setg(errp, "Cluster size must be between 512 and 64k"); ret = -EINVAL; goto fail; } /* l2_bits specifies number of entries; storing a uint64_t in each entry, * so bytes = num_entries << 3. */ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { error_setg(errp, "L2 table size must be between 512 and 64k"); ret = -EINVAL;
+ show +
52
53
54
55
56
57
goto fail; } if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL;
+ show +
58
59
60
61
62
63
64
65
66
67
goto fail; } s->crypt_method_header = header.crypt_method; if (s->crypt_method_header) { bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits;
.\cloneFuncs\totalClone\Type-3\CVE-2014-0222_before_1mo_1395649817_qcow_open.c
28
29
30
31
32
33
34
35
36
37
snprintf(version, sizeof(version), "QCOW version %d", header.version); error_set(errp, QERR_UNKNOWN_BLOCK_FORMAT_FEATURE, bs->device_name, "qcow", version); ret = -ENOTSUP; goto fail; } if (header.size <= 1 || header.cluster_bits < 9) { error_setg(errp, "invalid value in qcow header"); ret = -EINVAL;
+ show +
38
39
40
41
42
goto fail; } if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL;
+ show +
43
44
45
46
47
48
49
50
51
52
goto fail; } s->crypt_method_header = header.crypt_method; if (s->crypt_method_header) { bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits;

[qemu_CVE-2014-0223_1399547300_qcow_open.diff] qcow_open_OLD.c #1
/* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; - s->l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (header.size > UINT64_MAX - (1LL << shift)) { + error_setg(errp, "Image too large"); + ret = -EINVAL; + goto fail; + } else { + uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (l1_size > INT_MAX / sizeof(uint64_t)) { + error_setg(errp, "Image too large"); + ret = -EINVAL; + goto fail; + } + s->l1_size = l1_size; + } s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
.\cloneFuncs\totalClone\Type-1\CVE-2014-0222_before_imd_1399476630_qcow_open.c
54
55
56
57
58
59
60
61
62
63
bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits; s->l2_size = 1 << s->l2_bits; bs->total_sectors = header.size / 512; s->cluster_offset_mask = (1LL << (63 - s->cluster_bits)) - 1;
+ show +
64
65
66
67
68
69
/* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; s->l1_size = (header.size + (1LL << shift) - 1) >> shift; s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
+ show +
70
71
72
73
74
75
76
77
78
79
ret = bdrv_pread(bs->file, s->l1_table_offset, s->l1_table, s->l1_size * sizeof(uint64_t)); if (ret < 0) { goto fail; } for(i = 0;i < s->l1_size; i++) { be64_to_cpus(&s->l1_table[i]); }
.\cloneFuncs\totalClone\Type-1\CVE-2014-0223_before_imd_1400163011_qcow_open.c
62
63
64
65
66
67
68
69
70
71
bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits; s->l2_size = 1 << s->l2_bits; bs->total_sectors = header.size / 512; s->cluster_offset_mask = (1LL << (63 - s->cluster_bits)) - 1;
+ show +
72
73
74
75
76
77
/* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; s->l1_size = (header.size + (1LL << shift) - 1) >> shift; s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
+ show +
78
79
80
81
82
83
84
85
86
87
ret = bdrv_pread(bs->file, s->l1_table_offset, s->l1_table, s->l1_size * sizeof(uint64_t)); if (ret < 0) { goto fail; } for(i = 0;i < s->l1_size; i++) { be64_to_cpus(&s->l1_table[i]); }
.\cloneFuncs\totalClone\Type-3\CVE-2014-0222_before_1mo_1395649817_qcow_open.c
47
48
49
50
51
52
53
54
55
56
bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits; s->l2_size = 1 << s->l2_bits; bs->total_sectors = header.size / 512; s->cluster_offset_mask = (1LL << (63 - s->cluster_bits)) - 1;
+ show +
57
58
59
60
61
62
/* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; s->l1_size = (header.size + (1LL << shift) - 1) >> shift; s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
+ show +
63
64
65
66
67
68
69
70
71
72
ret = bdrv_pread(bs->file, s->l1_table_offset, s->l1_table, s->l1_size * sizeof(uint64_t)); if (ret < 0) { goto fail; } for(i = 0;i < s->l1_size; i++) { be64_to_cpus(&s->l1_table[i]); }
.\cloneFuncs\totalClone\Type-3\CVE-2014-0222_before_6mo_1378480466_qcow_open.c
44
45
46
47
48
49
50
51
52
53
bs->encrypted = 1; } s->cluster_bits = header.cluster_bits; s->cluster_size = 1 << s->cluster_bits; s->cluster_sectors = 1 << (s->cluster_bits - 9); s->l2_bits = header.l2_bits; s->l2_size = 1 << s->l2_bits; bs->total_sectors = header.size / 512; s->cluster_offset_mask = (1LL << (63 - s->cluster_bits)) - 1;
+ show +
54
55
56
57
58
59
/* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; s->l1_size = (header.size + (1LL << shift) - 1) >> shift; s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
+ show +
60
61
62
63
64
65
66
67
68
69
ret = bdrv_pread(bs->file, s->l1_table_offset, s->l1_table, s->l1_size * sizeof(uint64_t)); if (ret < 0) { goto fail; } for(i = 0;i < s->l1_size; i++) { be64_to_cpus(&s->l1_table[i]); }

[openssl_CVE-2014-0224_1402150873_ssl3_get_server_hello.diff] ssl3_get_server_hello_OLD.c #1
{ s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p+j); + s->s3->flags |= SSL3_FLAGS_CCS_OK; } } #endif /* OPENSSL_NO_TLSEXT */
.\cloneFuncs\totalClone\Type-1\CVE-2014-0224_before_imd_1400240988_ssl3_get_server_hello.c
107
108
109
110
111
112
113
114
115
116
#ifndef OPENSSL_NO_TLSEXT /* check if we want to resume the session based on external pre-shared secret */ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { SSL_CIPHER *pref_cipher=NULL; s->session->master_key_length=sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, NULL, &pref_cipher, s->tls_session_secret_cb_arg))
+ show +
117
118
119
120
121
122
{ s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p+j); } } #endif /* OPENSSL_NO_TLSEXT */
+ show +
123
124
125
126
127
128
129
130
131
132
if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) { /* actually a client application bug */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
.\cloneFuncs\totalClone\Type-3\CVE-2014-0224_before_1mo_1387114344_ssl3_get_server_hello.c
107
108
109
110
111
112
113
114
115
116
#ifndef OPENSSL_NO_TLSEXT /* check if we want to resume the session based on external pre-shared secret */ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { SSL_CIPHER *pref_cipher=NULL; s->session->master_key_length=sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, NULL, &pref_cipher, s->tls_session_secret_cb_arg))
+ show +
117
118
119
120
121
122
{ s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p+j); } } #endif /* OPENSSL_NO_TLSEXT */
+ show +
123
124
125
126
127
128
129
130
131
132
if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) { /* actually a client application bug */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
.\cloneFuncs\totalClone\Type-3\CVE-2014-0224_before_6mo_1382306604_ssl3_get_server_hello.c
107
108
109
110
111
112
113
114
115
116
#ifndef OPENSSL_NO_TLSEXT /* check if we want to resume the session based on external pre-shared secret */ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { SSL_CIPHER *pref_cipher=NULL; s->session->master_key_length=sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, NULL, &pref_cipher, s->tls_session_secret_cb_arg))
+ show +
117
118
119
120
121
122
{ s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p+j); } } #endif /* OPENSSL_NO_TLSEXT */
+ show +
123
124
125
126
127
128
129
130
131
132
if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) { /* actually a client application bug */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

[xen_CVE-2014-2915_1397567202_do_sysreg.diff] do_sysreg_OLD.c #1
static void do_sysreg(struct cpu_user_regs *regs, union hsr hsr) { + register_t *x = select_user_reg(regs, hsr.sysreg.reg); switch ( hsr.bits & HSR_SYSREG_REGS_MASK ) { + /* RAZ/WI registers: */ + /* - Debug */ + case HSR_SYSREG_MDSCR_EL1: + /* - Perf monitors */ + case HSR_SYSREG_PMINTENSET_EL1: + case HSR_SYSREG_PMINTENCLR_EL1: + case HSR_SYSREG_PMCR_EL0: + case HSR_SYSREG_PMCNTENSET_EL0: + case HSR_SYSREG_PMCNTENCLR_EL0: + case HSR_SYSREG_PMOVSCLR_EL0: + case HSR_SYSREG_PMSWINC_EL0: + case HSR_SYSREG_PMSELR_EL0: + case HSR_SYSREG_PMCEID0_EL0: + case HSR_SYSREG_PMCEID1_EL0: + case HSR_SYSREG_PMCCNTR_EL0: + case HSR_SYSREG_PMXEVTYPER_EL0: + case HSR_SYSREG_PMXEVCNTR_EL0: + case HSR_SYSREG_PMUSERENR_EL0: + case HSR_SYSREG_PMOVSSET_EL0: + /* - Breakpoints */ + HSR_SYSREG_DBG_CASES(DBGBVR): + HSR_SYSREG_DBG_CASES(DBGBCR): + /* - Watchpoints */ + HSR_SYSREG_DBG_CASES(DBGWVR): + HSR_SYSREG_DBG_CASES(DBGWCR): + if ( hsr.sysreg.read ) + *x = 0; + /* else: write ignored */ + break; + + /* Write only, Write ignore registers: */ + case HSR_SYSREG_OSLAR_EL1: + if ( hsr.sysreg.read ) + goto bad_sysreg; + /* else: write ignored */ + break; case HSR_SYSREG_CNTP_CTL_EL0: case HSR_SYSREG_CNTP_TVAL_EL0: if ( !vtimer_emulate(regs, hsr) )
.\cloneFuncs\totalClone\Type-1\CVE-2014-2915_before_imd_1397562328_do_sysreg.c
+ show +
1
2
3
4
5
6
7
8
9
static void do_sysreg(struct cpu_user_regs *regs, union hsr hsr) { switch ( hsr.bits & HSR_SYSREG_REGS_MASK ) { case HSR_SYSREG_CNTP_CTL_EL0: case HSR_SYSREG_CNTP_TVAL_EL0: if ( !vtimer_emulate(regs, hsr) )
+ show +
10
11
12
13
14
15
16
17
18
19
{ dprintk(XENLOG_ERR, "failed emulation of 64-bit vtimer sysreg access\n"); domain_crash_synchronous(); } break; default: { struct hsr_sysreg sysreg = hsr.sysreg; #ifndef NDEBUG

[xen_CVE-2014-2915_1397567202_do_sysreg.diff] do_sysreg_OLD.c #2
} break; default: + bad_sysreg: { struct hsr_sysreg sysreg = hsr.sysreg; #ifndef NDEBUG
.\cloneFuncs\totalClone\Type-1\CVE-2014-2915_before_imd_1397562328_do_sysreg.c
4
5
6
7
8
9
10
11
12
13
switch ( hsr.bits & HSR_SYSREG_REGS_MASK ) { case HSR_SYSREG_CNTP_CTL_EL0: case HSR_SYSREG_CNTP_TVAL_EL0: if ( !vtimer_emulate(regs, hsr) ) { dprintk(XENLOG_ERR, "failed emulation of 64-bit vtimer sysreg access\n"); domain_crash_synchronous();
+ show +
14
15
16
17
18
19
} break; default: { struct hsr_sysreg sysreg = hsr.sysreg; #ifndef NDEBUG
+ show +
20
21
22
23
24
25
26
27
28
29
gdprintk(XENLOG_ERR, "%s %d, %d, c%d, c%d, %d %s x%d @ 0x%"PRIregister"\n", sysreg.read ? "mrs" : "msr", sysreg.op0, sysreg.op1, sysreg.crn, sysreg.crm, sysreg.op2, sysreg.read ? "=>" : "<=", sysreg.reg, regs->pc); gdprintk(XENLOG_ERR, "unhandled 64-bit sysreg access %#x",

[xen_CVE-2014-2915_1397567202_do_trap_hypervisor.diff] do_trap_hypervisor_OLD.c #1
goto bad_trap; do_cp15_64(regs, hsr); break; + case HSR_EC_CP14_32: + case HSR_EC_CP14_DBG: + if ( !is_32bit_domain(current->domain) ) + goto bad_trap; + do_cp14(regs, hsr); + break; case HSR_EC_CP: if ( !is_32bit_domain(current->domain) ) goto bad_trap;
.\cloneFuncs\totalClone\Type-1\CVE-2014-2915_before_imd_1397562328_do_trap_hypervisor.c
21
22
23
24
25
26
27
28
29
30
vcpu_unblock(current); advance_pc(regs, hsr); break; case HSR_EC_CP15_32: if ( !is_32bit_domain(current->domain) ) goto bad_trap; do_cp15_32(regs, hsr); break; case HSR_EC_CP15_64: if ( !is_32bit_domain(current->domain) )
+ show +
31
32
33
34
35
36
goto bad_trap; do_cp15_64(regs, hsr); break; case HSR_EC_CP: if ( !is_32bit_domain(current->domain) ) goto bad_trap;
+ show +
37
38
39
40
41
42
43
44
45
46
do_cp(regs, hsr); break; case HSR_EC_SMC32: inject_undef32_exception(regs); break; case HSR_EC_HVC32: #ifndef NDEBUG if ( (hsr.iss & 0xff00) == 0xff00 ) return do_debug_trap(regs, hsr.iss & 0x00ff); #endif

[xen_CVE-2014-2915_1397567202_init_traps.diff] init_traps_OLD.c #1
/* Setup Hyp vector base */ WRITE_SYSREG((vaddr_t)hyp_traps_vector, VBAR_EL2); + /* Trap Debug and Performance Monitor accesses */ + WRITE_SYSREG(HDCR_TDRA|HDCR_TDOSA|HDCR_TDA|HDCR_TPM|HDCR_TPMCR, + MDCR_EL2); + /* Trap CP15 c15 used for implementation defined registers */ WRITE_SYSREG(HSTR_T(15), HSTR_EL2);
.\cloneFuncs\totalClone\Type-1\CVE-2014-2915_before_imd_1397562328_init_traps.c
1
2
void __cpuinit init_traps(void) {
+ show +
3
4
5
6
7
/* Setup Hyp vector base */ WRITE_SYSREG((vaddr_t)hyp_traps_vector, VBAR_EL2); /* Trap CP15 c15 used for implementation defined registers */ WRITE_SYSREG(HSTR_T(15), HSTR_EL2);
+ show +
8
9
10
11
12
13
14
15
16
17
/* Trap all coprocessor registers (0-13) except cp10 and cp11 for VFP * /!\ All processors except cp10 and cp11 cannot be used in Xen */ WRITE_SYSREG((HCPTR_CP_MASK & ~(HCPTR_CP(10) | HCPTR_CP(11))) | HCPTR_TTA, CPTR_EL2); /* Setup hypervisor traps */ WRITE_SYSREG(HCR_PTW|HCR_BSU_INNER|HCR_AMO|HCR_IMO|HCR_VM|HCR_TWI|HCR_TSC| HCR_TAC|HCR_SWIO|HCR_TIDCP, HCR_EL2);

[xen_CVE-2014-2986_1398267165_vgic_distr_mmio_write.diff] vgic_distr_mmio_write_OLD.c #1
case GICD_ICFGR + 2 ... GICD_ICFGRN: /* SPIs */ if ( dabt.size != 2 ) goto bad_width; rank = vgic_irq_rank(v, 2, gicd_reg - GICD_ICFGR); - vgic_lock_rank(v, rank); if ( rank == NULL) goto write_ignore; + vgic_lock_rank(v, rank); rank->icfg[REG_RANK_INDEX(2, gicd_reg - GICD_ICFGR)] = *r; vgic_unlock_rank(v, rank); return 1;
.\cloneFuncs\totalClone\Type-1\CVE-2014-2986_before_1mo_1395323486_vgic_distr_mmio_write.c
109
110
111
112
113
114
115
116
117
118
byte_write(&rank->ipriority[REG_RANK_INDEX(8, gicd_reg - GICD_IPRIORITYR)], *r, offset); vgic_unlock_rank(v, rank); return 1; case GICD_ICFGR: /* SGIs */ goto write_ignore; case GICD_ICFGR + 1: /* PPIs */ /* It is implementation defined if these are writeable. We chose not */ goto write_ignore;
+ show +
119
120
121
122
123
124
125
126
case GICD_ICFGR + 2 ... GICD_ICFGRN: /* SPIs */ if ( dabt.size != 2 ) goto bad_width; rank = vgic_irq_rank(v, 2, gicd_reg - GICD_ICFGR); vgic_lock_rank(v, rank); if ( rank == NULL) goto write_ignore; rank->icfg[REG_RANK_INDEX(2, gicd_reg - GICD_ICFGR)] = *r; vgic_unlock_rank(v, rank); return 1;
+ show +
127
128
129
130
131
132
133
134
135
136
case GICD_NSACR ... GICD_NSACRN: /* We do not implement security extensions for guests, write ignore */ goto write_ignore; case GICD_SGIR: if ( dabt.size != 2 ) goto bad_width; return vgic_to_sgi(v, *r);
.\cloneFuncs\totalClone\Type-3\CVE-2014-2986_before_6mo_1372363119_vgic_distr_mmio_write.c
107
108
109
110
111
112
113
114
115
116
byte_write(&rank->ipriority[REG_RANK_INDEX(8, gicd_reg - GICD_IPRIORITYR)], *r, offset); vgic_unlock_rank(v, rank); return 1; case GICD_ICFGR: /* SGIs */ goto write_ignore; case GICD_ICFGR + 1: /* PPIs */ /* It is implementation defined if these are writeable. We chose not */ goto write_ignore;
+ show +
117
118
119
120
121
122
123
124
case GICD_ICFGR + 2 ... GICD_ICFGRN: /* SPIs */ if ( dabt.size != 2 ) goto bad_width; rank = vgic_irq_rank(v, 2, gicd_reg - GICD_ICFGR); vgic_lock_rank(v, rank); if ( rank == NULL) goto write_ignore; rank->icfg[REG_RANK_INDEX(2, gicd_reg - GICD_ICFGR)] = *r; vgic_unlock_rank(v, rank); return 1;
+ show +
125
126
127
128
129
130
131
132
133
134
case GICD_NSACR ... GICD_NSACRN: /* We do not implement security extensions for guests, write ignore */ goto write_ignore; case GICD_SGIR: if ( dabt.size != 2 ) goto bad_width; return vgic_to_sgi(v, *r);

[xen_CVE-2014-3125_1398941680_init_timer_interrupt.diff] init_timer_interrupt_OLD.c #1
{ /* Sensible defaults */ WRITE_SYSREG64(0, CNTVOFF_EL2); /* No VM-specific offset */ - WRITE_SYSREG32(0, CNTKCTL_EL1); /* No user-mode access */ #if USE_HYP_TIMER /* Do not let the VMs program the physical timer, only read the physical counter */ WRITE_SYSREG32(CNTHCTL_PA, CNTHCTL_EL2);
.\cloneFuncs\totalClone\Type-1\CVE-2014-3125_before_1mo_1395055862_init_timer_interrupt.c
1
void __cpuinit init_timer_interrupt(void)
+ show +
2
3
4
5
6
7
8
{ /* Sensible defaults */ WRITE_SYSREG64(0, CNTVOFF_EL2); /* No VM-specific offset */ WRITE_SYSREG32(0, CNTKCTL_EL1); /* No user-mode access */ #if USE_HYP_TIMER /* Do not let the VMs program the physical timer, only read the physical counter */ WRITE_SYSREG32(CNTHCTL_PA, CNTHCTL_EL2);
+ show +
9
10
11
12
13
14
15
16
17
18
#else /* Cannot let VMs access physical counter if we are using it */ WRITE_SYSREG32(0, CNTHCTL_EL2); #endif WRITE_SYSREG32(0, CNTP_CTL_EL0); /* Physical timer disabled */ WRITE_SYSREG32(0, CNTHP_CTL_EL2); /* Hypervisor's timer disabled */ isb(); request_dt_irq(&timer_irq[TIMER_HYP_PPI], timer_interrupt, "hyptimer", NULL);

[linux_CVE-2014-3153_1401798426_futex_wait_requeue_pi.diff] futex_wait_requeue_pi_OLD.c #1
if (ret) goto out_key2; + /* + * The check above which compares uaddrs is not sufficient for + * shared futexes. We need to compare the keys: + */ + if (match_futex(&q.key, &key2)) { + ret = -EINVAL; + goto out_put_keys; + } + /* Queue the futex_q, drop the hb lock, wait for wakeup. */ futex_wait_queue_me(hb, &q, to);
.\cloneFuncs\totalClone\Type-1\CVE-2014-3153_before_1mo_1397069707_futex_wait_requeue_pi.c
41
42
43
44
45
46
47
48
49
50
q.bitset = bitset; q.rt_waiter = &rt_waiter; q.requeue_pi_key = &key2; /* * Prepare to wait on uaddr. On success, increments q.key (key1) ref * count. */ ret = futex_wait_setup(uaddr, val, flags, &q, &hb);
+ show +
51
52
53
54
55
if (ret) goto out_key2; /* Queue the futex_q, drop the hb lock, wait for wakeup. */ futex_wait_queue_me(hb, &q, to);
+ show +
56
57
58
59
60
61
62
63
64
65
spin_lock(&hb->lock); ret = handle_early_requeue_pi_wakeup(hb, &q, &key2, to); spin_unlock(&hb->lock); if (ret) goto out_put_keys; /* * In order for us to be here, we know our q.key == key2, and since * we took the hb->lock above, we also know that futex_requeue() has
.\cloneFuncs\totalClone\Type-3\CVE-2014-3153_before_6mo_1383239899_futex_wait_requeue_pi.c
39
40
41
42
43
44
45
46
47
48
q.bitset = bitset; q.rt_waiter = &rt_waiter; q.requeue_pi_key = &key2; /* * Prepare to wait on uaddr. On success, increments q.key (key1) ref * count. */ ret = futex_wait_setup(uaddr, val, flags, &q, &hb);
+ show +
49
50
51
52
53
if (ret) goto out_key2; /* Queue the futex_q, drop the hb lock, wait for wakeup. */ futex_wait_queue_me(hb, &q, to);
+ show +
54
55
56
57
58
59
60
61
62
63
spin_lock(&hb->lock); ret = handle_early_requeue_pi_wakeup(hb, &q, &key2, to); spin_unlock(&hb->lock); if (ret) goto out_put_keys; /* * In order for us to be here, we know our q.key == key2, and since * we took the hb->lock above, we also know that futex_requeue() has

[linux_CVE-2014-3153_1401798426_futex_requeue.diff] futex_requeue_OLD.c #1
if (requeue_pi) { /* + * Requeue PI only works on two distinct uaddrs. This + * check is only valid for private futexes. See below. + */ + if (uaddr1 == uaddr2) + return -EINVAL; + + /* * requeue_pi requires a pi_state, try to allocate it now * without any locks in case it fails. */
.\cloneFuncs\totalClone\Type-1\CVE-2014-3153_before_imd_1399927535_futex_requeue.c
1
2
3
4
5
6
7
8
9
10
static int futex_requeue(u32 __user *uaddr1, unsigned int flags, u32 __user *uaddr2, int nr_wake, int nr_requeue, u32 *cmpval, int requeue_pi) { union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT; int drop_count = 0, task_count = 0, ret; struct futex_pi_state *pi_state = NULL; struct futex_hash_bucket *hb1, *hb2; struct futex_q *this, *next;
+ show +
11
12
13
14
15
if (requeue_pi) { /* * requeue_pi requires a pi_state, try to allocate it now * without any locks in case it fails. */
+ show +
16
17
18
19
20
21
22
23
24
25
if (refill_pi_state_cache()) return -ENOMEM; /* * requeue_pi must wake as many tasks as it can, up to nr_wake * + nr_requeue, since it acquires the rt_mutex prior to * returning to userspace, so as to not leave the rt_mutex with * waiters and no owner. However, second and third wake-ups * cannot be predicted as they involve race conditions with the * first wake and a fault while looking up the pi_state. Both * pthread_cond_signal() and pthread_cond_broadcast() should
.\cloneFuncs\totalClone\Type-3\CVE-2014-3153_before_1mo_1397069707_futex_requeue.c
2
3
4
5
6
7
8
9
10
11
u32 __user *uaddr2, int nr_wake, int nr_requeue, u32 *cmpval, int requeue_pi) { union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT; int drop_count = 0, task_count = 0, ret; struct futex_pi_state *pi_state = NULL; struct futex_hash_bucket *hb1, *hb2; struct futex_q *this, *next; u32 curval2;
+ show +
12
13
14
15
16
if (requeue_pi) { /* * requeue_pi requires a pi_state, try to allocate it now * without any locks in case it fails. */
+ show +
17
18
19
20
21
22
23
24
25
26
if (refill_pi_state_cache()) return -ENOMEM; /* * requeue_pi must wake as many tasks as it can, up to nr_wake * + nr_requeue, since it acquires the rt_mutex prior to * returning to userspace, so as to not leave the rt_mutex with * waiters and no owner. However, second and third wake-ups * cannot be predicted as they involve race conditions with the * first wake and a fault while looking up the pi_state. Both * pthread_cond_signal() and pthread_cond_broadcast() should
.\cloneFuncs\totalClone\Type-3\CVE-2014-3153_before_6mo_1383239899_futex_requeue.c
3
4
5
6
7
8
9
10
11
12
u32 *cmpval, int requeue_pi) { union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT; int drop_count = 0, task_count = 0, ret; struct futex_pi_state *pi_state = NULL; struct futex_hash_bucket *hb1, *hb2; struct plist_head *head1; struct futex_q *this, *next; u32 curval2;
+ show +
13
14
15
16
17
if (requeue_pi) { /* * requeue_pi requires a pi_state, try to allocate it now * without any locks in case it fails. */
+ show +
18
19
20
21
22
23
24
25
26
27
if (refill_pi_state_cache()) return -ENOMEM; /* * requeue_pi must wake as many tasks as it can, up to nr_wake * + nr_requeue, since it acquires the rt_mutex prior to * returning to userspace, so as to not leave the rt_mutex with * waiters and no owner. However, second and third wake-ups * cannot be predicted as they involve race conditions with the * first wake and a fault while looking up the pi_state. Both * pthread_cond_signal() and pthread_cond_broadcast() should

[linux_CVE-2014-3153_1401798426_futex_requeue.diff] futex_requeue_OLD.c #2
if (unlikely(ret != 0)) goto out_put_key1; + /* + * The check above which compares uaddrs is not sufficient for + * shared futexes. We need to compare the keys: + */ + if (requeue_pi && match_futex(&key1, &key2)) { + ret = -EINVAL; + goto out_put_keys; + } + hb1 = hash_futex(&key1); hb2 = hash_futex(&key2);
.\cloneFuncs\totalClone\Type-1\CVE-2014-3153_before_imd_1399927535_futex_requeue.c
37
38
39
40
41
42
43
44
45
46
*/ free_pi_state(pi_state); pi_state = NULL; } ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ); if (unlikely(ret != 0)) goto out; ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, requeue_pi ? VERIFY_WRITE : VERIFY_READ);
+ show +
47
48
49
50
51
if (unlikely(ret != 0)) goto out_put_key1; hb1 = hash_futex(&key1); hb2 = hash_futex(&key2);
+ show +
52
53
54
55
56
57
58
59
60
61
retry_private: hb_waiters_inc(hb2); double_lock_hb(hb1, hb2); if (likely(cmpval != NULL)) { u32 curval; ret = get_futex_value_locked(&curval, uaddr1);
.\cloneFuncs\totalClone\Type-3\CVE-2014-3153_before_1mo_1397069707_futex_requeue.c
38
39
40
41
42
43
44
45
46
47
*/ free_pi_state(pi_state); pi_state = NULL; } ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ); if (unlikely(ret != 0)) goto out; ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, requeue_pi ? VERIFY_WRITE : VERIFY_READ);
+ show +
48
49
50
51
52
if (unlikely(ret != 0)) goto out_put_key1; hb1 = hash_futex(&key1); hb2 = hash_futex(&key2);
+ show +
53
54
55
56
57
58
59
60
61
62
retry_private: hb_waiters_inc(hb2); double_lock_hb(hb1, hb2); if (likely(cmpval != NULL)) { u32 curval; ret = get_futex_value_locked(&curval, uaddr1);
.\cloneFuncs\totalClone\Type-3\CVE-2014-3153_before_6mo_1383239899_futex_requeue.c
39
40
41
42
43
44
45
46
47
48
*/ free_pi_state(pi_state); pi_state = NULL; } ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ); if (unlikely(ret != 0)) goto out; ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, requeue_pi ? VERIFY_WRITE : VERIFY_READ);
+ show +
49
50
51
52
53
if (unlikely(ret != 0)) goto out_put_key1; hb1 = hash_futex(&key1); hb2 = hash_futex(&key2);
+ show +
54
55
56
57
58
59
60
61
62
63
retry_private: double_lock_hb(hb1, hb2); if (likely(cmpval != NULL)) { u32 curval; ret = get_futex_value_locked(&curval, uaddr1); if (unlikely(ret)) {

[qemu_CVE-2014-3471_1403533969_pcie_cap_slot_write_config.diff] pcie_cap_slot_write_config_OLD.c #1
sltsta); } + /* + * If the slot is polulated, power indicator is off and power + * controller is off, it is safe to detach the devices. + */ + if ((sltsta & PCI_EXP_SLTSTA_PDS) && (val & PCI_EXP_SLTCTL_PCC) && + ((val & PCI_EXP_SLTCTL_PIC_OFF) == PCI_EXP_SLTCTL_PIC_OFF)) { + PCIBus *sec_bus = pci_bridge_get_sec_bus(PCI_BRIDGE(dev)); + pci_for_each_device(sec_bus, pci_bus_num(sec_bus), + pcie_unplug_device, NULL); + + pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA, + PCI_EXP_SLTSTA_PDS); + pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, + PCI_EXP_SLTSTA_PDC); + } + hotplug_event_notify(dev); /*
.\cloneFuncs\totalClone\Type-1\CVE-2014-3471_before_1mo_1392645606_pcie_cap_slot_write_config.c
12
13
14
15
16
17
18
19
20
21
if (!ranges_overlap(addr, len, pos + PCI_EXP_SLTCTL, 2)) { return; } if (pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTCTL, PCI_EXP_SLTCTL_EIC)) { sltsta ^= PCI_EXP_SLTSTA_EIS; /* toggle PCI_EXP_SLTSTA_EIS bit */ pci_set_word(exp_cap + PCI_EXP_SLTSTA, sltsta); PCIE_DEV_PRINTF(dev, "PCI_EXP_SLTCTL_EIC: " "sltsta -> 0x%02"PRIx16"\n",
+ show +
22
23
24
25
26
27
sltsta); } hotplug_event_notify(dev); /*
+ show +
28
29
30
31
32
33
34
35
36
37
* 6.7.3.2 Command Completed Events * * Software issues a command to a hot-plug capable Downstream Port by * issuing a write transaction that targets any portion of the Port’s Slot * Control register. A single write to the Slot Control register is * considered to be a single command, even if the write affects more than * one field in the Slot Control register. In response to this transaction, * the Port must carry out the requested actions and then set the * associated status field for the command completed event. */

[openssl_CVE-2014-3506_1402089952_dtls1_process_out_of_seq_message.diff] dtls1_process_out_of_seq_message_OLD.c #1
if (frag_len && frag_len < msg_hdr->msg_len) return dtls1_reassemble_fragment(s, msg_hdr, ok); + if (frag_len > dtls1_max_handshake_message_len(s)) + goto err; + frag = dtls1_hm_fragment_new(frag_len, 0); if ( frag == NULL) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3505_after_imd_1406241214_dtls1_process_out_of_seq_message.c
37
38
39
40
41
42
43
44
45
46
{ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, devnull, frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0); if (i<=0) goto err; frag_len -= i; } } else {
+ show +
47
48
49
50
51
52
if (frag_len && frag_len < msg_hdr->msg_len) return dtls1_reassemble_fragment(s, msg_hdr, ok); frag = dtls1_hm_fragment_new(frag_len, 0); if ( frag == NULL) goto err;
+ show +
53
54
55
56
57
58
59
60
61
62
memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); if (frag_len) { /* read the body of the fragment (header has already been read */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3505_before_1mo_1396741866_dtls1_process_out_of_seq_message.c
37
38
39
40
41
42
43
44
45
46
{ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, devnull, frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0); if (i<=0) goto err; frag_len -= i; } } else {
+ show +
47
48
49
50
51
52
if (frag_len && frag_len < msg_hdr->msg_len) return dtls1_reassemble_fragment(s, msg_hdr, ok); frag = dtls1_hm_fragment_new(frag_len, 0); if ( frag == NULL) goto err;
+ show +
53
54
55
56
57
58
59
60
61
62
memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); if (frag_len) { /* read the body of the fragment (header has already been read */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err;

[openssl_CVE-2014-3507_1402090233_dtls1_process_out_of_seq_message.diff] dtls1_process_out_of_seq_message_OLD.c #2
if ( item == NULL) goto err; - pqueue_insert(s->d1->buffered_messages, item); + item = pqueue_insert(s->d1->buffered_messages, item); + /* pqueue_insert fails iff a duplicate item is inserted. + * However, |item| cannot be a duplicate. If it were, + * |pqueue_find|, above, would have returned it. Then, either + * |frag_len| != |msg_hdr->msg_len| in which case |item| is set + * to NULL and it will have been processed with + * |dtls1_reassemble_fragment|, above, or the record will have + * been discarded. */ + OPENSSL_assert(item != NULL); } return DTLS1_HM_FRAGMENT_RETRY;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3505_after_imd_1406241214_dtls1_process_out_of_seq_message.c
60
61
62
63
64
65
66
67
68
69
frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; } memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); seq64be[7] = (unsigned char)(msg_hdr->seq); item = pitem_new(seq64be, frag);
+ show +
70
71
72
73
74
75
76
if ( item == NULL) goto err; pqueue_insert(s->d1->buffered_messages, item); } return DTLS1_HM_FRAGMENT_RETRY;
+ show +
77
78
79
80
81
82
err: if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; }
.\cloneFuncs\totalClone\Type-1\CVE-2014-3505_before_1mo_1396741866_dtls1_process_out_of_seq_message.c
60
61
62
63
64
65
66
67
68
69
frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; } memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); seq64be[7] = (unsigned char)(msg_hdr->seq); item = pitem_new(seq64be, frag);
+ show +
70
71
72
73
74
75
76
if ( item == NULL) goto err; pqueue_insert(s->d1->buffered_messages, item); } return DTLS1_HM_FRAGMENT_RETRY;
+ show +
77
78
79
80
81
82
83
err: if ( frag != NULL) dtls1_hm_fragment_free(frag); if ( item != NULL) OPENSSL_free(item); *ok = 0; return i; }
.\cloneFuncs\totalClone\Type-1\CVE-2014-3507_before_imd_1402089952_dtls1_process_out_of_seq_message.c
63
64
65
66
67
68
69
70
71
72
frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; } memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); seq64be[7] = (unsigned char)(msg_hdr->seq); item = pitem_new(seq64be, frag);
+ show +
73
74
75
76
77
78
79
if ( item == NULL) goto err; pqueue_insert(s->d1->buffered_messages, item); } return DTLS1_HM_FRAGMENT_RETRY;
+ show +
80
81
82
83
84
85
err: if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); *ok = 0; return i; }

[openssl_CVE-2014-3507_1402090233_dtls1_process_out_of_seq_message.diff] dtls1_process_out_of_seq_message_OLD.c #1
} else { - if (frag_len && frag_len < msg_hdr->msg_len) + if (frag_len < msg_hdr->msg_len) return dtls1_reassemble_fragment(s, msg_hdr, ok); if (frag_len > dtls1_max_handshake_message_len(s))
.\cloneFuncs\totalClone\Type-1\CVE-2014-3507_before_imd_1402089952_dtls1_process_out_of_seq_message.c
34
35
36
37
38
39
40
41
42
43
unsigned char devnull [256]; while (frag_len) { i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, devnull, frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0); if (i<=0) goto err; frag_len -= i; }
+ show +
44
45
46
47
48
49
50
} else { if (frag_len && frag_len < msg_hdr->msg_len) return dtls1_reassemble_fragment(s, msg_hdr, ok); if (frag_len > dtls1_max_handshake_message_len(s))
+ show +
51
52
53
54
55
56
57
58
59
60
goto err; frag = dtls1_hm_fragment_new(frag_len, 0); if ( frag == NULL) goto err; memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); if (frag_len) {

[openssl_CVE-2014-3507_1402090233_dtls1_reassemble_fragment.diff] dtls1_reassemble_fragment_OLD.c #1
msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) goto err; + if (frag_len == 0) + return DTLS1_HM_FRAGMENT_RETRY; + /* Try to find item in queue */ memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
.\cloneFuncs\totalClone\Type-1\CVE-2014-3507_before_imd_1402089952_dtls1_reassemble_fragment.c
1
2
3
4
5
6
7
8
9
10
static int dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) { hm_fragment *frag = NULL; pitem *item = NULL; int i = -1, is_complete; unsigned char seq64be[8]; unsigned long frag_len = msg_hdr->frag_len; if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len ||
+ show +
11
12
13
14
15
16
msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) goto err; /* Try to find item in queue */ memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
+ show +
17
18
19
20
21
22
23
24
25
26
seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); if (item == NULL) { frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); if ( frag == NULL) goto err; memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); frag->msg_header.frag_len = frag->msg_header.msg_len;

[openssl_CVE-2014-3513_1413331412_ssl_scan_serverhello_tlsext.diff] ssl_scan_serverhello_tlsext_OLD.c #1
} } #endif - else if (type == TLSEXT_TYPE_use_srtp) + else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
.\cloneFuncs\totalClone\Type-1\CVE-2014-3509_after_imd_1406245806_ssl_scan_serverhello_tlsext.c
244
245
246
247
248
249
250
251
252
253
{ case 0x01: /* Server allows us to send HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; break; case 0x02: /* Server doesn't accept HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; break; default: *al = SSL_AD_ILLEGAL_PARAMETER; return 0;
+ show +
254
255
256
257
258
259
260
} } #endif else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
+ show +
261
262
263
264
265
266
267
268
269
270
return 0; } /* If this extension type was not otherwise handled, but * matches a custom_cli_ext_record, then send it to the c * callback */ else if (s->ctx->custom_cli_ext_records_count) { size_t i; custom_cli_ext_record* record;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3509_before_1mo_1401731720_ssl_scan_serverhello_tlsext.c
241
242
243
244
245
246
247
248
249
250
{ case 0x01: /* Server allows us to send HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; break; case 0x02: /* Server doesn't accept HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; break; default: *al = SSL_AD_ILLEGAL_PARAMETER; return 0;
+ show +
251
252
253
254
255
256
257
} } #endif else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
+ show +
258
259
260
261
262
263
264
265
266
267
return 0; } /* If this extension type was not otherwise handled, but * matches a custom_cli_ext_record, then send it to the c * callback */ else if (s->ctx->custom_cli_ext_records_count) { size_t i; custom_cli_ext_record* record;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3513_before_imd_1412111429_ssl_scan_serverhello_tlsext.c
244
245
246
247
248
249
250
251
252
253
{ case 0x01: /* Server allows us to send HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; break; case 0x02: /* Server doesn't accept HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; break; default: *al = SSL_AD_ILLEGAL_PARAMETER; return 0;
+ show +
254
255
256
257
258
259
260
} } #endif else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
+ show +
261
262
263
264
265
266
267
268
269
270
return 0; } #ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite or SSL 3.0 */ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4 && s->version != SSL3_VERSION) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
.\cloneFuncs\totalClone\Type-3\CVE-2014-3509_after_1mo_1407668888_ssl_scan_serverhello_tlsext.c
244
245
246
247
248
249
250
251
252
253
{ case 0x01: /* Server allows us to send HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; break; case 0x02: /* Server doesn't accept HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; break; default: *al = SSL_AD_ILLEGAL_PARAMETER; return 0;
+ show +
254
255
256
257
258
259
260
} } #endif else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
+ show +
261
262
263
264
265
266
267
268
269
270
return 0; } /* If this extension type was not otherwise handled, but * matches a custom_cli_ext_record, then send it to the c * callback */ else if (!custom_ext_parse(s, 0, type, data, size, al)) return 0; #ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-3509_before_6mo_1389879991_ssl_scan_serverhello_tlsext.c
242
243
244
245
246
247
248
249
250
251
{ case 0x01: /* Server allows us to send HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; break; case 0x02: /* Server doesn't accept HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; break; default: *al = SSL_AD_ILLEGAL_PARAMETER; return 0;
+ show +
252
253
254
255
256
257
258
} } #endif else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
+ show +
259
260
261
262
263
264
265
266
267
268
return 0; } /* If this extension type was not otherwise handled, but * matches a custom_cli_ext_record, then send it to the c * callback */ else if (s->ctx->custom_cli_ext_records_count) { size_t i; custom_cli_ext_record* record;
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_1mo_1408209386_ssl_scan_serverhello_tlsext.c
244
245
246
247
248
249
250
251
252
253
{ case 0x01: /* Server allows us to send HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; break; case 0x02: /* Server doesn't accept HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; break; default: *al = SSL_AD_ILLEGAL_PARAMETER; return 0;
+ show +
254
255
256
257
258
259
260
} } #endif else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
+ show +
261
262
263
264
265
266
267
268
269
270
return 0; } /* If this extension type was not otherwise handled, but * matches a custom_cli_ext_record, then send it to the c * callback */ else if (custom_ext_parse(s, 0, type, data, size, al) <= 0) return 0; #ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) {

[openssl_CVE-2014-3509_1406151726_ssl_scan_serverhello_tlsext.diff] ssl_scan_serverhello_tlsext_OLD.c #1
*al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + s->session->tlsext_ecpointformatlist_length = 0; + if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; + memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); sdata = s->session->tlsext_ecpointformatlist;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3509_before_1mo_1401731720_ssl_scan_serverhello_tlsext.c
59
60
61
62
63
64
65
66
67
68
} #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); sdata = s->session->tlsext_ecpointformatlist;
+ show +
84
85
86
87
88
89
90
91
92
93
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb &&
.\cloneFuncs\totalClone\Type-3\CVE-2014-3509_before_6mo_1389879991_ssl_scan_serverhello_tlsext.c
59
60
61
62
63
64
65
66
67
68
} #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) {
+ show +
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
*al = TLS1_AD_DECODE_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = 0; if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); sdata = s->session->tlsext_ecpointformatlist;
+ show +
84
85
86
87
88
89
90
91
92
93
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) fprintf(stderr,"%i ",*(sdata++)); fprintf(stderr,"\n"); #endif } #endif /* OPENSSL_NO_EC */ else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb &&

[openssl_CVE-2014-3513_1413331412_ssl_add_clienthello_tlsext.diff] ssl_add_clienthello_tlsext_OLD.c #1
ret += s->alpn_client_proto_list_len; } - if(SSL_get_srtp_profiles(s)) + if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { int el;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3513_before_imd_1412111429_ssl_add_clienthello_tlsext.c
337
338
339
340
341
342
343
344
345
346
if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) { if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) return NULL; s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); s2n(2 + s->alpn_client_proto_list_len,ret); s2n(s->alpn_client_proto_list_len,ret); memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
+ show +
347
348
349
350
351
352
ret += s->alpn_client_proto_list_len; } if(SSL_get_srtp_profiles(s)) { int el;
+ show +
353
354
355
356
357
358
359
360
361
362
ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_1mo_1408209386_ssl_add_clienthello_tlsext.c
337
338
339
340
341
342
343
344
345
346
if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) { if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) return NULL; s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); s2n(2 + s->alpn_client_proto_list_len,ret); s2n(s->alpn_client_proto_list_len,ret); memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
+ show +
347
348
349
350
351
352
ret += s->alpn_client_proto_list_len; } if(SSL_get_srtp_profiles(s)) { int el;
+ show +
353
354
355
356
357
358
359
360
361
362
ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_6mo_1396741866_ssl_add_clienthello_tlsext.c
334
335
336
337
338
339
340
341
342
343
if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) { if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) return NULL; s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); s2n(2 + s->alpn_client_proto_list_len,ret); s2n(s->alpn_client_proto_list_len,ret); memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
+ show +
344
345
346
347
348
349
ret += s->alpn_client_proto_list_len; } if(SSL_get_srtp_profiles(s)) { int el;
+ show +
350
351
352
353
354
355
356
357
358
359
ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); if((limit - p - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {

[openssl_CVE-2014-3513_1413331412_ssl_add_serverhello_tlsext.diff] ssl_add_serverhello_tlsext_OLD.c #1
} #endif - if(s->srtp_profile) + if(SSL_IS_DTLS(s) && s->srtp_profile) { int el;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3513_before_imd_1412111429_ssl_add_serverhello_tlsext.c
101
102
103
104
105
106
107
108
109
110
if ((long)(limit - ret - 6 - sol) < 0) return NULL; if (sol > 0xFFFD) /* can't happen */ return NULL; s2n(TLSEXT_TYPE_opaque_prf_input, ret); s2n(sol + 2, ret); s2n(sol, ret); memcpy(ret, s->s3->server_opaque_prf_input, sol); ret += sol;
+ show +
111
112
113
114
115
116
} #endif if(s->srtp_profile) { int el;
+ show +
117
118
119
120
121
122
123
124
125
126
ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_1mo_1408209386_ssl_add_serverhello_tlsext.c
101
102
103
104
105
106
107
108
109
110
if ((long)(limit - ret - 6 - sol) < 0) return NULL; if (sol > 0xFFFD) /* can't happen */ return NULL; s2n(TLSEXT_TYPE_opaque_prf_input, ret); s2n(sol + 2, ret); s2n(sol, ret); memcpy(ret, s->s3->server_opaque_prf_input, sol); ret += sol;
+ show +
111
112
113
114
115
116
} #endif if(s->srtp_profile) { int el;
+ show +
117
118
119
120
121
122
123
124
125
126
ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_6mo_1396741866_ssl_add_serverhello_tlsext.c
102
103
104
105
106
107
108
109
110
111
if ((long)(limit - ret - 6 - sol) < 0) return NULL; if (sol > 0xFFFD) /* can't happen */ return NULL; s2n(TLSEXT_TYPE_opaque_prf_input, ret); s2n(sol + 2, ret); s2n(sol, ret); memcpy(ret, s->s3->server_opaque_prf_input, sol); ret += sol;
+ show +
112
113
114
115
116
117
} #endif if(s->srtp_profile) { int el;
+ show +
118
119
120
121
122
123
124
125
126
127
ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); if((limit - p - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {

[openssl_CVE-2014-3513_1413331412_ssl_scan_clienthello_tlsext.diff] ssl_scan_clienthello_tlsext_OLD.c #1
} /* session ticket processed earlier */ - else if (type == TLSEXT_TYPE_use_srtp) + else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) + && type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
.\cloneFuncs\totalClone\Type-1\CVE-2014-3513_before_imd_1412111429_ssl_scan_clienthello_tlsext.c
508
509
510
511
512
513
514
515
516
517
else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) { if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) return 0; #ifndef OPENSSL_NO_NEXTPROTONEG /* ALPN takes precedence over NPN. */ s->s3->next_proto_neg_seen = 0; #endif
+ show +
518
519
520
521
522
523
524
} /* session ticket processed earlier */ else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
+ show +
525
526
527
528
529
530
531
532
533
534
return 0; } #ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) { if (s->version != SSL3_VERSION) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } #endif /* If this ClientHello extension was unhandled and this is
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_1mo_1408209386_ssl_scan_clienthello_tlsext.c
508
509
510
511
512
513
514
515
516
517
else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) { if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) return 0; #ifndef OPENSSL_NO_NEXTPROTONEG /* ALPN takes precedence over NPN. */ s->s3->next_proto_neg_seen = 0; #endif
+ show +
518
519
520
521
522
523
524
} /* session ticket processed earlier */ else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
+ show +
525
526
527
528
529
530
531
532
533
534
return 0; } /* If this ClientHello extension was unhandled and this is * a nonresumed connection, check whether the extension is a * custom TLS Extension (has a custom_srv_ext_record), and if * so call the callback and record the extension number so that * an appropriate ServerHello may be later returned. */ else if (!s->hit) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_6mo_1396741866_ssl_scan_clienthello_tlsext.c
516
517
518
519
520
521
522
523
524
525
else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) { if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) return 0; #ifndef OPENSSL_NO_NEXTPROTONEG /* ALPN takes precedence over NPN. */ s->s3->next_proto_neg_seen = 0; #endif
+ show +
526
527
528
529
530
531
532
} /* session ticket processed earlier */ else if (type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
+ show +
533
534
535
536
537
538
539
540
541
542
return 0; } /* If this ClientHello extension was unhandled and this is * a nonresumed connection, check whether the extension is a * custom TLS Extension (has a custom_srv_ext_record), and if * so call the callback and record the extension number so that * an appropriate ServerHello may be later returned. */ else if (!s->hit && s->ctx->custom_srv_ext_records_count) {

[linux_CVE-2014-3534_1403530180___poke_user.diff] __poke_user_OLD.c #1
unsigned long mask = PSW_MASK_USER; mask |= is_ri_task(child) ? PSW_MASK_RI : 0; - if ((data & ~mask) != PSW_USER_BITS) + if ((data ^ PSW_USER_BITS) & ~mask) + /* Invalid psw mask. */ + return -EINVAL; + if ((data & PSW_MASK_ASC) == PSW_ASC_HOME) + /* Invalid address-space-control bits */ return -EINVAL; if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA)) + /* Invalid addressing mode bits */ return -EINVAL; } *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3534_before_1mo_1396352733___poke_user.c
1
2
3
4
5
6
7
8
9
10
static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) { struct user *dummy = NULL; addr_t offset; if (addr < (addr_t) &dummy->regs.acrs) { /* * psw and gprs are stored on the stack */ if (addr == (addr_t) &dummy->regs.psw.mask) {
+ show +
11
12
13
14
15
16
17
18
19
unsigned long mask = PSW_MASK_USER; mask |= is_ri_task(child) ? PSW_MASK_RI : 0; if ((data & ~mask) != PSW_USER_BITS) return -EINVAL; if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA)) return -EINVAL; } *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
+ show +
20
21
22
23
24
25
26
27
28
29
} else if (addr < (addr_t) (&dummy->regs.orig_gpr2)) { /* * access registers are stored in the thread structure */ offset = addr - (addr_t) &dummy->regs.acrs; #ifdef CONFIG_64BIT /* * Very special case: old & broken 64 bit gdb writing * to acrs[15] with a 64 bit value. Ignore the lower

[linux_CVE-2014-3534_1403530180___poke_user_compat.diff] __poke_user_compat_OLD.c #1
mask |= is_ri_task(child) ? PSW32_MASK_RI : 0; /* Build a 64 bit psw mask from 31 bit mask. */ - if ((tmp & ~mask) != PSW32_USER_BITS) + if ((tmp ^ PSW32_USER_BITS) & ~mask) /* Invalid psw mask. */ return -EINVAL; + if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME) + /* Invalid address-space-control bits */ + return -EINVAL; regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) | (regs->psw.mask & PSW_MASK_BA) | (__u64)(tmp & mask) << 32;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3534_before_1mo_1396352733___poke_user_compat.c
6
7
8
9
10
11
12
13
14
15
addr_t offset; if (addr < (addr_t) &dummy32->regs.acrs) { struct pt_regs *regs = task_pt_regs(child); /* * psw, gprs, acrs and orig_gpr2 are stored on the stack */ if (addr == (addr_t) &dummy32->regs.psw.mask) { __u32 mask = PSW32_MASK_USER;
+ show +
16
17
18
19
20
21
22
23
mask |= is_ri_task(child) ? PSW32_MASK_RI : 0; /* Build a 64 bit psw mask from 31 bit mask. */ if ((tmp & ~mask) != PSW32_USER_BITS) /* Invalid psw mask. */ return -EINVAL; regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) | (regs->psw.mask & PSW_MASK_BA) | (__u64)(tmp & mask) << 32;
+ show +
24
25
26
27
28
29
30
31
32
33
} else if (addr == (addr_t) &dummy32->regs.psw.addr) { /* Build a 64 bit psw address from 31 bit address. */ regs->psw.addr = (__u64) tmp & PSW32_ADDR_INSN; /* Transfer 31 bit amode bit to psw mask. */ regs->psw.mask = (regs->psw.mask & ~PSW_MASK_BA) | (__u64)(tmp & PSW32_ADDR_AMODE); } else { /* gpr 0-15 */ *(__u32*)((addr_t) &regs->psw + addr*2 + 4) = tmp; }

[openssl_CVE-2014-3567_1413334435_tls_decrypt_ticket.diff] tls_decrypt_ticket_OLD.c #1
HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) + { + EVP_CIPHER_CTX_cleanup(&ctx); return 2; + } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
.\cloneFuncs\totalClone\Type-1\CVE-2014-3567_before_1mo_1408209386_tls_decrypt_ticket.c
43
44
45
46
47
48
49
50
51
52
*/ mlen = HMAC_size(&hctx); if (mlen < 0) { EVP_CIPHER_CTX_cleanup(&ctx); return -1; } eticklen -= mlen; /* Check HMAC of encrypted ticket */ HMAC_Update(&hctx, etick, eticklen);
+ show +
53
54
55
56
57
58
59
HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) return 2; /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
+ show +
60
61
62
63
64
65
66
67
68
69
eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); sdec = OPENSSL_malloc(eticklen); if (!sdec) { EVP_CIPHER_CTX_cleanup(&ctx); return -1; } EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-3567_before_6mo_1396741866_tls_decrypt_ticket.c
43
44
45
46
47
48
49
50
51
52
*/ mlen = HMAC_size(&hctx); if (mlen < 0) { EVP_CIPHER_CTX_cleanup(&ctx); return -1; } eticklen -= mlen; /* Check HMAC of encrypted ticket */ HMAC_Update(&hctx, etick, eticklen);
+ show +
53
54
55
56
57
58
59
HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) return 2; /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
+ show +
60
61
62
63
64
65
66
67
68
69
eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); sdec = OPENSSL_malloc(eticklen); if (!sdec) { EVP_CIPHER_CTX_cleanup(&ctx); return -1; } EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) return 2;

[openssl_CVE-2014-3571_1420245913_ssl3_read_n.diff] ssl3_read_n_OLD.c #1
* at once (as long as it fits into the buffer). */ if (SSL_IS_DTLS(s)) { + if (left == 0 && extend) + return 0; if (left > 0 && n > left) n = left; }
.\cloneFuncs\totalClone\Type-1\CVE-2014-3571_before_1mo_1416315386_ssl3_read_n.c
49
50
51
52
53
54
55
56
57
58
rb->offset = align; } } s->packet = rb->buf + rb->offset; s->packet_length = 0; /* ... now we can act as if 'extend' was set */ } /* For DTLS/UDP reads should not span multiple packets * because the read operation returns the whole packet
+ show +
59
60
61
62
63
64
* at once (as long as it fits into the buffer). */ if (SSL_IS_DTLS(s)) { if (left > 0 && n > left) n = left; }
+ show +
65
66
67
68
69
70
71
72
73
74
/* if there is enough in the buffer from a previous read, take some */ if (left >= n) { s->packet_length+=n; rb->left=left-n; rb->offset+=n; return(n); }

[openssl_CVE-2014-3572_1414150233_ssl3_get_key_exchange.diff] ssl3_get_key_exchange_OLD.c #3
/* Total length of the parameters including the length prefix */ param_len=0; - alg_k=s->s3->tmp.new_cipher->algorithm_mkey; alg_a=s->s3->tmp.new_cipher->algorithm_auth; - EVP_MD_CTX_init(&md_ctx); al=SSL_AD_DECODE_ERROR;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3572_before_1mo_1411300471_ssl3_get_key_exchange.c
75
76
77
78
79
80
81
82
83
84
EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); s->session->sess_cert->peer_ecdh_tmp=NULL; } #endif } else { s->session->sess_cert=ssl_sess_cert_new(); }
+ show +
85
86
87
88
89
90
91
92
/* Total length of the parameters including the length prefix */ param_len=0; alg_k=s->s3->tmp.new_cipher->algorithm_mkey; alg_a=s->s3->tmp.new_cipher->algorithm_auth; EVP_MD_CTX_init(&md_ctx); al=SSL_AD_DECODE_ERROR;
+ show +
93
94
95
96
97
98
99
100
101
102
#ifndef OPENSSL_NO_PSK if (alg_k & SSL_kPSK) { char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; param_len = 2; if (param_len > n) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,

[qemu_CVE-2014-3640_1411022137_udp_input.diff] udp_input_OLD.c #1
* Locate pcb for datagram. */ so = slirp->udp_last_so; - if (so->so_lport != uh->uh_sport || + if (so == &slirp->udb || so->so_lport != uh->uh_sport || so->so_laddr.s_addr != ip->ip_src.s_addr) { struct socket *tmp;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3640_before_1mo_1362769112_udp_input.c
79
80
81
82
83
84
85
86
87
88
ip->ip_dst.s_addr == slirp->vhost_addr.s_addr) { tftp_input(m); goto bad; } if (slirp->restricted) { goto bad; } /*
+ show +
89
90
91
92
93
94
* Locate pcb for datagram. */ so = slirp->udp_last_so; if (so->so_lport != uh->uh_sport || so->so_laddr.s_addr != ip->ip_src.s_addr) { struct socket *tmp;
+ show +
95
96
97
98
99
100
101
102
103
104
for (tmp = slirp->udb.so_next; tmp != &slirp->udb; tmp = tmp->so_next) { if (tmp->so_lport == uh->uh_sport && tmp->so_laddr.s_addr == ip->ip_src.s_addr) { so = tmp; break; } } if (tmp == &slirp->udb) {

[linux_CVE-2014-3646_1411496550_nested_vmx_exit_handled.diff] nested_vmx_exit_handled_OLD.c #1
case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: - case EXIT_REASON_INVEPT: + case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: /* * VMX instructions trap unconditionally. This allows L1 to * emulate them for its L2 guest, i.e., allows 3-level nesting!
.\cloneFuncs\totalClone\Type-1\CVE-2014-3646_before_imd_1409163404_nested_vmx_exit_handled.c
51
52
53
54
55
56
57
58
59
60
case EXIT_REASON_INVD: return 1; case EXIT_REASON_INVLPG: return nested_cpu_has(vmcs12, CPU_BASED_INVLPG_EXITING); case EXIT_REASON_RDPMC: return nested_cpu_has(vmcs12, CPU_BASED_RDPMC_EXITING); case EXIT_REASON_RDTSC: return nested_cpu_has(vmcs12, CPU_BASED_RDTSC_EXITING); case EXIT_REASON_VMCALL: case EXIT_REASON_VMCLEAR: case EXIT_REASON_VMLAUNCH: case EXIT_REASON_VMPTRLD:
+ show +
61
62
63
64
65
66
67
case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: case EXIT_REASON_INVEPT: /* * VMX instructions trap unconditionally. This allows L1 to * emulate them for its L2 guest, i.e., allows 3-level nesting!
+ show +
68
69
70
71
72
73
74
75
76
77
*/ return 1; case EXIT_REASON_CR_ACCESS: return nested_vmx_exit_handled_cr(vcpu, vmcs12); case EXIT_REASON_DR_ACCESS: return nested_cpu_has(vmcs12, CPU_BASED_MOV_DR_EXITING); case EXIT_REASON_IO_INSTRUCTION: return nested_vmx_exit_handled_io(vcpu, vmcs12); case EXIT_REASON_MSR_READ: case EXIT_REASON_MSR_WRITE:
.\cloneFuncs\totalClone\Type-3\CVE-2014-3646_before_1mo_1408637289_nested_vmx_exit_handled.c
49
50
51
52
53
54
55
56
57
58
case EXIT_REASON_INVD: return 1; case EXIT_REASON_INVLPG: return nested_cpu_has(vmcs12, CPU_BASED_INVLPG_EXITING); case EXIT_REASON_RDPMC: return nested_cpu_has(vmcs12, CPU_BASED_RDPMC_EXITING); case EXIT_REASON_RDTSC: return nested_cpu_has(vmcs12, CPU_BASED_RDTSC_EXITING); case EXIT_REASON_VMCALL: case EXIT_REASON_VMCLEAR: case EXIT_REASON_VMLAUNCH: case EXIT_REASON_VMPTRLD:
+ show +
59
60
61
62
63
64
65
case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: case EXIT_REASON_INVEPT: /* * VMX instructions trap unconditionally. This allows L1 to * emulate them for its L2 guest, i.e., allows 3-level nesting!
+ show +
66
67
68
69
70
71
72
73
74
75
*/ return 1; case EXIT_REASON_CR_ACCESS: return nested_vmx_exit_handled_cr(vcpu, vmcs12); case EXIT_REASON_DR_ACCESS: return nested_cpu_has(vmcs12, CPU_BASED_MOV_DR_EXITING); case EXIT_REASON_IO_INSTRUCTION: return nested_vmx_exit_handled_io(vcpu, vmcs12); case EXIT_REASON_MSR_READ: case EXIT_REASON_MSR_WRITE:

[linux_CVE-2017-2583_1484229752___load_segment_descriptor.diff] __load_segment_descriptor_OLD.c #1
rpl = selector & 3; - /* NULL selector is not valid for TR, CS and SS (except for long mode) */ - if ((seg == VCPU_SREG_CS - || (seg == VCPU_SREG_SS - && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)) - || seg == VCPU_SREG_TR) - && null_selector) - goto exception; - /* TR should be in GDT only */ if (seg == VCPU_SREG_TR && (selector & (1 << 2))) goto exception; - if (null_selector) /* for NULL selector skip all following checks */ + /* NULL selector is not valid for TR, CS and (except for long mode) SS */ + if (null_selector) { + if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR) + goto exception; + + if (seg == VCPU_SREG_SS) { + if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl) + goto exception; + + /* + * ctxt->ops->set_segment expects the CPL to be in + * SS.DPL, so fake an expand-up 32-bit data segment. + */ + seg_desc.type = 3; + seg_desc.p = 1; + seg_desc.s = 1; + seg_desc.dpl = cpl; + seg_desc.d = 1; + seg_desc.g = 1; + } + + /* Skip all following checks */ goto load; + } ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr); if (ret != X86EMUL_CONTINUE)
.\cloneFuncs\totalClone\Type-1\CVE-2014-3647_after_1mo_1414068854___load_segment_descriptor.c
25
26
27
28
29
30
31
32
33
34
/* VM86 needs a clean new segment descriptor */ set_desc_base(&seg_desc, selector << 4); set_desc_limit(&seg_desc, 0xffff); seg_desc.type = 3; seg_desc.p = 1; seg_desc.s = 1; seg_desc.dpl = 3; goto load; }
+ show +
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
rpl = selector & 3; /* NULL selector is not valid for TR, CS and SS (except for long mode) */ if ((seg == VCPU_SREG_CS || (seg == VCPU_SREG_SS && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)) || seg == VCPU_SREG_TR) && null_selector) goto exception; /* TR should be in GDT only */ if (seg == VCPU_SREG_TR && (selector & (1 << 2))) goto exception; if (null_selector) /* for NULL selector skip all following checks */ goto load; ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr); if (ret != X86EMUL_CONTINUE)
+ show +
54
55
56
57
58
59
60
61
62
63
return ret; err_code = selector & 0xfffc; err_vec = in_task_switch ? TS_VECTOR : GP_VECTOR; /* can't load system descriptor into segment selector */ if (seg <= VCPU_SREG_GS && !seg_desc.s) goto exception; if (!seg_desc.p) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-3647_before_imd_1411069178___load_segment_descriptor.c
23
24
25
26
27
28
29
30
31
32
/* VM86 needs a clean new segment descriptor */ set_desc_base(&seg_desc, selector << 4); set_desc_limit(&seg_desc, 0xffff); seg_desc.type = 3; seg_desc.p = 1; seg_desc.s = 1; seg_desc.dpl = 3; goto load; }
+ show +
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
rpl = selector & 3; /* NULL selector is not valid for TR, CS and SS (except for long mode) */ if ((seg == VCPU_SREG_CS || (seg == VCPU_SREG_SS && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)) || seg == VCPU_SREG_TR) && null_selector) goto exception; /* TR should be in GDT only */ if (seg == VCPU_SREG_TR && (selector & (1 << 2))) goto exception; if (null_selector) /* for NULL selector skip all following checks */ goto load; ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr); if (ret != X86EMUL_CONTINUE)
+ show +
52
53
54
55
56
57
58
59
60
61
return ret; err_code = selector & 0xfffc; err_vec = in_task_switch ? TS_VECTOR : GP_VECTOR; /* can't load system descriptor into segment selector */ if (seg <= VCPU_SREG_GS && !seg_desc.s) goto exception; if (!seg_desc.p) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-2583_before_1mo_1479932100___load_segment_descriptor.c
25
26
27
28
29
30
31
32
33
34
/* VM86 needs a clean new segment descriptor */ set_desc_base(&seg_desc, selector << 4); set_desc_limit(&seg_desc, 0xffff); seg_desc.type = 3; seg_desc.p = 1; seg_desc.s = 1; seg_desc.dpl = 3; goto load; }
+ show +
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
rpl = selector & 3; /* NULL selector is not valid for TR, CS and SS (except for long mode) */ if ((seg == VCPU_SREG_CS || (seg == VCPU_SREG_SS && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)) || seg == VCPU_SREG_TR) && null_selector) goto exception; /* TR should be in GDT only */ if (seg == VCPU_SREG_TR && (selector & (1 << 2))) goto exception; if (null_selector) /* for NULL selector skip all following checks */ goto load; ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr); if (ret != X86EMUL_CONTINUE)
+ show +
54
55
56
57
58
59
60
61
62
63
return ret; err_code = selector & 0xfffc; err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR : GP_VECTOR; /* can't load system descriptor into segment selector */ if (seg <= VCPU_SREG_GS && !seg_desc.s) { if (transfer == X86_TRANSFER_CALL_JMP) return X86EMUL_UNHANDLEABLE;
.\cloneFuncs\totalClone\Type-3\CVE-2014-3647_before_1mo_1408360620___load_segment_descriptor.c
23
24
25
26
27
28
29
30
31
32
/* VM86 needs a clean new segment descriptor */ set_desc_base(&seg_desc, selector << 4); set_desc_limit(&seg_desc, 0xffff); seg_desc.type = 3; seg_desc.p = 1; seg_desc.s = 1; seg_desc.dpl = 3; goto load; }
+ show +
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
rpl = selector & 3; /* NULL selector is not valid for TR, CS and SS (except for long mode) */ if ((seg == VCPU_SREG_CS || (seg == VCPU_SREG_SS && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)) || seg == VCPU_SREG_TR) && null_selector) goto exception; /* TR should be in GDT only */ if (seg == VCPU_SREG_TR && (selector & (1 << 2))) goto exception; if (null_selector) /* for NULL selector skip all following checks */ goto load; ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr); if (ret != X86EMUL_CONTINUE)
+ show +
52
53
54
55
56
57
58
59
60
61
return ret; err_code = selector & 0xfffc; err_vec = in_task_switch ? TS_VECTOR : GP_VECTOR; /* can't load system descriptor into segment selector */ if (seg <= VCPU_SREG_GS && !seg_desc.s) goto exception; if (!seg_desc.p) {

[linux_CVE-2014-3647_1411069179___load_segment_descriptor.diff] __load_segment_descriptor_OLD.c #1
static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - u16 selector, int seg, u8 cpl, bool in_task_switch) + u16 selector, int seg, u8 cpl, + bool in_task_switch, + struct desc_struct *desc) { struct desc_struct seg_desc, old_desc; u8 dpl, rpl;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3647_before_imd_1411069178___load_segment_descriptor.c
+ show +
1
2
3
4
5
static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, u16 selector, int seg, u8 cpl, bool in_task_switch) { struct desc_struct seg_desc, old_desc; u8 dpl, rpl;
+ show +
6
7
8
9
10
11
12
13
14
15
unsigned err_vec = GP_VECTOR; u32 err_code = 0; bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */ ulong desc_addr; int ret; u16 dummy; u32 base3 = 0; memset(&seg_desc, 0, sizeof seg_desc);
.\cloneFuncs\totalClone\Type-3\CVE-2014-3647_before_1mo_1408360620___load_segment_descriptor.c
+ show +
1
2
3
4
5
static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, u16 selector, int seg, u8 cpl, bool in_task_switch) { struct desc_struct seg_desc, old_desc; u8 dpl, rpl;
+ show +
6
7
8
9
10
11
12
13
14
15
unsigned err_vec = GP_VECTOR; u32 err_code = 0; bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */ ulong desc_addr; int ret; u16 dummy; u32 base3 = 0; memset(&seg_desc, 0, sizeof seg_desc);

[linux_CVE-2014-4171_1406149210_shmem_fallocate.diff] shmem_fallocate_OLD.c #1
mutex_lock(&inode->i_mutex); - shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; - if (mode & FALLOC_FL_PUNCH_HOLE) { struct address_space *mapping = file->f_mapping; loff_t unmap_start = round_up(offset, PAGE_SIZE); loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; + DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq); + shmem_falloc.waitq = &shmem_falloc_waitq; shmem_falloc.start = unmap_start >> PAGE_SHIFT; shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; spin_lock(&inode->i_lock);
.\cloneFuncs\totalClone\Type-1\CVE-2014-4171_before_imd_1404339758_shmem_fallocate.c
3
4
5
6
7
8
9
10
11
12
{ struct inode *inode = file_inode(file); struct shmem_sb_info *sbinfo = SHMEM_SB(inode->i_sb); struct shmem_falloc shmem_falloc; pgoff_t start, index, end; int error; if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) return -EOPNOTSUPP;
+ show +
13
14
15
16
17
18
19
20
21
22
23
24
mutex_lock(&inode->i_mutex); shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; if (mode & FALLOC_FL_PUNCH_HOLE) { struct address_space *mapping = file->f_mapping; loff_t unmap_start = round_up(offset, PAGE_SIZE); loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; shmem_falloc.start = unmap_start >> PAGE_SHIFT; shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; spin_lock(&inode->i_lock);
+ show +
25
26
27
28
29
30
31
32
33
34
inode->i_private = &shmem_falloc; spin_unlock(&inode->i_lock); if ((u64)unmap_end > (u64)unmap_start) unmap_mapping_range(mapping, unmap_start, 1 + unmap_end - unmap_start, 0); shmem_truncate_range(inode, offset, offset + len - 1); /* No need to unmap again: hole-punching leaves COWed pages */ error = 0; goto undone;

[linux_CVE-2014-4171_1406149210_shmem_fallocate.diff] shmem_fallocate_OLD.c #2
1 + unmap_end - unmap_start, 0); shmem_truncate_range(inode, offset, offset + len - 1); /* No need to unmap again: hole-punching leaves COWed pages */ + + spin_lock(&inode->i_lock); + inode->i_private = NULL; + wake_up_all(&shmem_falloc_waitq); + spin_unlock(&inode->i_lock); error = 0; - goto undone; + goto out; } /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
.\cloneFuncs\totalClone\Type-1\CVE-2014-4171_before_imd_1404339758_shmem_fallocate.c
20
21
22
23
24
25
26
27
28
29
loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; shmem_falloc.start = unmap_start >> PAGE_SHIFT; shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; spin_lock(&inode->i_lock); inode->i_private = &shmem_falloc; spin_unlock(&inode->i_lock); if ((u64)unmap_end > (u64)unmap_start) unmap_mapping_range(mapping, unmap_start,
+ show +
30
31
32
33
34
35
36
37
1 + unmap_end - unmap_start, 0); shmem_truncate_range(inode, offset, offset + len - 1); /* No need to unmap again: hole-punching leaves COWed pages */ error = 0; goto undone; } /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
+ show +
38
39
40
41
42
43
44
45
46
47
error = inode_newsize_ok(inode, offset + len); if (error) goto out; start = offset >> PAGE_CACHE_SHIFT; end = (offset + len + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; /* Try to avoid a swapstorm if len is impossible to satisfy */ if (sbinfo->max_blocks && end - start > sbinfo->max_blocks) { error = -ENOSPC; goto out;

[linux_CVE-2014-4171_1406149210_shmem_fallocate.diff] shmem_fallocate_OLD.c #3
goto out; } + shmem_falloc.waitq = NULL; shmem_falloc.start = start; shmem_falloc.next = start; shmem_falloc.nr_falloced = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4171_before_imd_1404339758_shmem_fallocate.c
37
38
39
40
41
42
43
44
45
46
/* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ error = inode_newsize_ok(inode, offset + len); if (error) goto out; start = offset >> PAGE_CACHE_SHIFT; end = (offset + len + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; /* Try to avoid a swapstorm if len is impossible to satisfy */ if (sbinfo->max_blocks && end - start > sbinfo->max_blocks) { error = -ENOSPC;
+ show +
47
48
49
50
51
52
goto out; } shmem_falloc.start = start; shmem_falloc.next = start; shmem_falloc.nr_falloced = 0;
+ show +
53
54
55
56
57
58
59
60
61
62
shmem_falloc.nr_unswapped = 0; spin_lock(&inode->i_lock); inode->i_private = &shmem_falloc; spin_unlock(&inode->i_lock); for (index = start; index < end; index++) { struct page *page; /* * Good, the fallocate(2) manpage permits EINTR: we may have
.\cloneFuncs\totalClone\Type-3\CVE-2014-4171_before_1mo_1402594218_shmem_fallocate.c
26
27
28
29
30
31
32
33
34
35
/* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ error = inode_newsize_ok(inode, offset + len); if (error) goto out; start = offset >> PAGE_CACHE_SHIFT; end = (offset + len + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; /* Try to avoid a swapstorm if len is impossible to satisfy */ if (sbinfo->max_blocks && end - start > sbinfo->max_blocks) { error = -ENOSPC;
+ show +
36
37
38
39
40
41
goto out; } shmem_falloc.start = start; shmem_falloc.next = start; shmem_falloc.nr_falloced = 0;
+ show +
42
43
44
45
46
47
48
49
50
51
shmem_falloc.nr_unswapped = 0; spin_lock(&inode->i_lock); inode->i_private = &shmem_falloc; spin_unlock(&inode->i_lock); for (index = start; index < end; index++) { struct page *page; /* * Good, the fallocate(2) manpage permits EINTR: we may have

[linux_CVE-2014-4171_1406149210_shmem_writepage.diff] shmem_writepage_OLD.c #1
spin_lock(&inode->i_lock); shmem_falloc = inode->i_private; if (shmem_falloc && - !shmem_falloc->mode && + !shmem_falloc->waitq && index >= shmem_falloc->start && index < shmem_falloc->next) shmem_falloc->nr_unswapped++;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4171_before_imd_1404339758_shmem_writepage.c
35
36
37
38
39
40
41
42
43
44
* * That's okay for a page already fallocated earlier, but if we have * not yet completed the fallocation, then (a) we want to keep track * of this page in case we have to undo it, and (b) it may not be a * good idea to continue anyway, once we're pushing into swap. So * reactivate the page, and let shmem_fallocate() quit when too many. */ if (!PageUptodate(page)) { if (inode->i_private) { struct shmem_falloc *shmem_falloc;
+ show +
45
46
47
48
49
50
51
spin_lock(&inode->i_lock); shmem_falloc = inode->i_private; if (shmem_falloc && !shmem_falloc->mode && index >= shmem_falloc->start && index < shmem_falloc->next) shmem_falloc->nr_unswapped++;
+ show +
52
53
54
55
56
57
58
59
60
61
else shmem_falloc = NULL; spin_unlock(&inode->i_lock); if (shmem_falloc) goto redirty; } clear_highpage(page); flush_dcache_page(page); SetPageUptodate(page); }

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #1
-#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun - int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, unsigned char *out, size_t *out_len) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
+ show +
1
2
3
4
5
#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, unsigned char *out, size_t *out_len) {
+ show +
6
7
8
9
10
11
12
13
14
15
unsigned char *op; const unsigned char *ip; size_t t, next; size_t state = 0; const unsigned char *m_pos; const unsigned char * const ip_end = in + in_len; unsigned char * const op_end = out + *out_len; op = out; ip = in;

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #2
while (unlikely(*ip == 0)) { t += 255; ip++; - NEED_IP(1); + NEED_IP(1, 0); } t += 15 + *ip++; } t += 3; copy_literal_run: #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) - if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) { + if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) { const unsigned char *ie = ip + t; unsigned char *oe = op + t; do {
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
23
24
25
26
27
28
29
30
31
32
goto match_next; } goto copy_literal_run; } for (;;) { t = *ip++; if (t < 16) { if (likely(state == 0)) { if (unlikely(t == 0)) {
+ show +
33
34
35
36
37
38
39
40
41
42
43
44
45
46
while (unlikely(*ip == 0)) { t += 255; ip++; NEED_IP(1); } t += 15 + *ip++; } t += 3; copy_literal_run: #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) { const unsigned char *ie = ip + t; unsigned char *oe = op + t; do {
+ show +
47
48
49
50
51
52
53
54
55
56
COPY8(op, ip); op += 8; ip += 8; COPY8(op, ip); op += 8; ip += 8; } while (ip < ie); ip = ie; op = oe; } else

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #3
} else #endif { - NEED_OP(t); - NEED_IP(t + 3); + NEED_OP(t, 0); + NEED_IP(t, 3); do { *op++ = *ip++; } while (--t > 0);
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
46
47
48
49
50
51
52
53
54
55
do { COPY8(op, ip); op += 8; ip += 8; COPY8(op, ip); op += 8; ip += 8; } while (ip < ie); ip = ie; op = oe;
+ show +
56
57
58
59
60
61
62
63
} else #endif { NEED_OP(t); NEED_IP(t + 3); do { *op++ = *ip++; } while (--t > 0);
+ show +
64
65
66
67
68
69
70
71
72
73
} state = 4; continue; } else if (state != 4) { next = t & 3; m_pos = op - 1; m_pos -= t >> 2; m_pos -= *ip++ << 2; TEST_LB(m_pos); NEED_OP(2);
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_1mo_1415102949_lzo1x_decompress_safe.c
51
52
53
54
55
56
57
58
59
60
do { COPY8(op, ip); op += 8; ip += 8; COPY8(op, ip); op += 8; ip += 8; } while (ip < ie); ip = ie; op = oe;
+ show +
61
62
63
64
65
66
67
68
} else #endif { NEED_OP(t); NEED_IP(t + 3); do { *op++ = *ip++; } while (--t > 0);
+ show +
69
70
71
72
73
74
75
76
77
78
} state = 4; continue; } else if (state != 4) { next = t & 3; m_pos = op - 1; m_pos -= t >> 2; m_pos -= *ip++ << 2; TEST_LB(m_pos); NEED_OP(2);
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_6mo_1547206229_lzo1x_decompress_safe.c
51
52
53
54
55
56
57
58
59
60
do { COPY8(op, ip); op += 8; ip += 8; COPY8(op, ip); op += 8; ip += 8; } while (ip < ie); ip = ie; op = oe;
+ show +
61
62
63
64
65
66
67
68
} else #endif { NEED_OP(t); NEED_IP(t + 3); do { *op++ = *ip++; } while (--t > 0);
+ show +
69
70
71
72
73
74
75
76
77
78
} state = 4; continue; } else if (state != 4) { next = t & 3; m_pos = op - 1; m_pos -= t >> 2; m_pos -= *ip++ << 2; TEST_LB(m_pos); NEED_OP(2);

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #4
m_pos -= t >> 2; m_pos -= *ip++ << 2; TEST_LB(m_pos); - NEED_OP(2); + NEED_OP(2, 0); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
60
61
62
63
64
65
66
67
68
69
NEED_IP(t + 3); do { *op++ = *ip++; } while (--t > 0); } state = 4; continue; } else if (state != 4) { next = t & 3; m_pos = op - 1;
+ show +
70
71
72
73
74
75
76
m_pos -= t >> 2; m_pos -= *ip++ << 2; TEST_LB(m_pos); NEED_OP(2); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2;
+ show +
77
78
79
80
81
82
83
84
85
86
goto match_next; } else { next = t & 3; m_pos = op - (1 + M2_MAX_OFFSET); m_pos -= t >> 2; m_pos -= *ip++ << 2; t = 3; } } else if (t >= 64) { next = t & 3;
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_1mo_1415102949_lzo1x_decompress_safe.c
65
66
67
68
69
70
71
72
73
74
NEED_IP(t + 3); do { *op++ = *ip++; } while (--t > 0); } state = 4; continue; } else if (state != 4) { next = t & 3; m_pos = op - 1;
+ show +
75
76
77
78
79
80
81
m_pos -= t >> 2; m_pos -= *ip++ << 2; TEST_LB(m_pos); NEED_OP(2); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2;
+ show +
82
83
84
85
86
87
88
89
90
91
goto match_next; } else { next = t & 3; m_pos = op - (1 + M2_MAX_OFFSET); m_pos -= t >> 2; m_pos -= *ip++ << 2; t = 3; } } else if (t >= 64) { next = t & 3;
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_6mo_1547206229_lzo1x_decompress_safe.c
65
66
67
68
69
70
71
72
73
74
NEED_IP(t + 3); do { *op++ = *ip++; } while (--t > 0); } state = 4; continue; } else if (state != 4) { next = t & 3; m_pos = op - 1;
+ show +
75
76
77
78
79
80
81
m_pos -= t >> 2; m_pos -= *ip++ << 2; TEST_LB(m_pos); NEED_OP(2); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2;
+ show +
82
83
84
85
86
87
88
89
90
91
goto match_next; } else { next = t & 3; m_pos = op - (1 + M2_MAX_OFFSET); m_pos -= t >> 2; m_pos -= *ip++ << 2; t = 3; } } else if (t >= 64) { next = t & 3;

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #5
while (unlikely(*ip == 0)) { t += 255; ip++; - NEED_IP(1); + NEED_IP(1, 0); } t += 31 + *ip++; - NEED_IP(2); + NEED_IP(2, 0); } m_pos = op - 1; next = get_unaligned_le16(ip);
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
84
85
86
87
88
89
90
91
92
93
} } else if (t >= 64) { next = t & 3; m_pos = op - 1; m_pos -= (t >> 2) & 7; m_pos -= *ip++ << 3; t = (t >> 5) - 1 + (3 - 1); } else if (t >= 32) { t = (t & 31) + (3 - 1); if (unlikely(t == 2)) {
+ show +
94
95
96
97
98
99
100
101
102
103
while (unlikely(*ip == 0)) { t += 255; ip++; NEED_IP(1); } t += 31 + *ip++; NEED_IP(2); } m_pos = op - 1; next = get_unaligned_le16(ip);
+ show +
104
105
106
107
108
109
110
111
112
113
ip += 2; m_pos -= next >> 2; next &= 3; } else { m_pos = op; m_pos -= (t & 8) << 11; t = (t & 7) + (3 - 1); if (unlikely(t == 2)) { while (unlikely(*ip == 0)) { t += 255;

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #6
while (unlikely(*ip == 0)) { t += 255; ip++; - NEED_IP(1); + NEED_IP(1, 0); } t += 7 + *ip++; - NEED_IP(2); + NEED_IP(2, 0); } next = get_unaligned_le16(ip); ip += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
102
103
104
105
106
107
108
109
110
111
m_pos = op - 1; next = get_unaligned_le16(ip); ip += 2; m_pos -= next >> 2; next &= 3; } else { m_pos = op; m_pos -= (t & 8) << 11; t = (t & 7) + (3 - 1); if (unlikely(t == 2)) {
+ show +
112
113
114
115
116
117
118
119
120
121
while (unlikely(*ip == 0)) { t += 255; ip++; NEED_IP(1); } t += 7 + *ip++; NEED_IP(2); } next = get_unaligned_le16(ip); ip += 2;
+ show +
122
123
124
125
126
127
128
129
130
131
m_pos -= next >> 2; next &= 3; if (m_pos == op) goto eof_found; m_pos -= 0x4000; } TEST_LB(m_pos); #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (op - m_pos >= 8) { unsigned char *oe = op + t;

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #7
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (op - m_pos >= 8) { unsigned char *oe = op + t; - if (likely(HAVE_OP(t + 15))) { + if (likely(HAVE_OP(t, 15))) { do { COPY8(op, m_pos); op += 8;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
119
120
121
122
123
124
125
126
127
128
} next = get_unaligned_le16(ip); ip += 2; m_pos -= next >> 2; next &= 3; if (m_pos == op) goto eof_found; m_pos -= 0x4000; } TEST_LB(m_pos);
+ show +
129
130
131
132
133
134
135
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (op - m_pos >= 8) { unsigned char *oe = op + t; if (likely(HAVE_OP(t + 15))) { do { COPY8(op, m_pos); op += 8;
+ show +
136
137
138
139
140
141
142
143
144
145
m_pos += 8; COPY8(op, m_pos); op += 8; m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next;
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_1mo_1415102949_lzo1x_decompress_safe.c
138
139
140
141
142
143
144
145
146
147
} next = get_unaligned_le16(ip); ip += 2; m_pos -= next >> 2; next &= 3; if (m_pos == op) goto eof_found; m_pos -= 0x4000; } TEST_LB(m_pos);
+ show +
148
149
150
151
152
153
154
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (op - m_pos >= 8) { unsigned char *oe = op + t; if (likely(HAVE_OP(t + 15))) { do { COPY8(op, m_pos); op += 8;
+ show +
155
156
157
158
159
160
161
162
163
164
m_pos += 8; COPY8(op, m_pos); op += 8; m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next;
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_6mo_1547206229_lzo1x_decompress_safe.c
138
139
140
141
142
143
144
145
146
147
} next = get_unaligned_le16(ip); ip += 2; m_pos -= next >> 2; next &= 3; if (m_pos == op) goto eof_found; m_pos -= 0x4000; } TEST_LB(m_pos);
+ show +
148
149
150
151
152
153
154
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (op - m_pos >= 8) { unsigned char *oe = op + t; if (likely(HAVE_OP(t + 15))) { do { COPY8(op, m_pos); op += 8;
+ show +
155
156
157
158
159
160
161
162
163
164
m_pos += 8; COPY8(op, m_pos); op += 8; m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next;

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #8
m_pos += 8; } while (op < oe); op = oe; - if (HAVE_IP(6)) { + if (HAVE_IP(6, 0)) { state = next; COPY4(op, ip); op += next;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
129
130
131
132
133
134
135
136
137
138
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (op - m_pos >= 8) { unsigned char *oe = op + t; if (likely(HAVE_OP(t + 15))) { do { COPY8(op, m_pos); op += 8; m_pos += 8; COPY8(op, m_pos); op += 8;
+ show +
139
140
141
142
143
144
145
m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next;
+ show +
146
147
148
149
150
151
152
153
154
155
ip += next; continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe); } } else
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_1mo_1415102949_lzo1x_decompress_safe.c
148
149
150
151
152
153
154
155
156
157
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (op - m_pos >= 8) { unsigned char *oe = op + t; if (likely(HAVE_OP(t + 15))) { do { COPY8(op, m_pos); op += 8; m_pos += 8; COPY8(op, m_pos); op += 8;
+ show +
158
159
160
161
162
163
164
m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next;
+ show +
165
166
167
168
169
170
171
172
173
174
ip += next; continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe); } } else
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_6mo_1547206229_lzo1x_decompress_safe.c
148
149
150
151
152
153
154
155
156
157
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (op - m_pos >= 8) { unsigned char *oe = op + t; if (likely(HAVE_OP(t + 15))) { do { COPY8(op, m_pos); op += 8; m_pos += 8; COPY8(op, m_pos); op += 8;
+ show +
158
159
160
161
162
163
164
m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next;
+ show +
165
166
167
168
169
170
171
172
173
174
ip += next; continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe); } } else

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #9
continue; } } else { - NEED_OP(t); + NEED_OP(t, 0); do { *op++ = *m_pos++; } while (op < oe);
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
137
138
139
140
141
142
143
144
145
146
COPY8(op, m_pos); op += 8; m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next; ip += next;
+ show +
147
148
149
150
151
152
153
continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe);
+ show +
154
155
156
157
158
159
160
161
162
163
} } else #endif { unsigned char *oe = op + t; NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2; m_pos += 2;
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_1mo_1415102949_lzo1x_decompress_safe.c
156
157
158
159
160
161
162
163
164
165
COPY8(op, m_pos); op += 8; m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next; ip += next;
+ show +
166
167
168
169
170
171
172
continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe);
+ show +
173
174
175
176
177
178
179
180
181
182
} } else #endif { unsigned char *oe = op + t; NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2; m_pos += 2;
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_6mo_1547206229_lzo1x_decompress_safe.c
156
157
158
159
160
161
162
163
164
165
COPY8(op, m_pos); op += 8; m_pos += 8; } while (op < oe); op = oe; if (HAVE_IP(6)) { state = next; COPY4(op, ip); op += next; ip += next;
+ show +
166
167
168
169
170
171
172
continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe);
+ show +
173
174
175
176
177
178
179
180
181
182
} } else #endif { unsigned char *oe = op + t; NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2; m_pos += 2;

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #10
#endif { unsigned char *oe = op + t; - NEED_OP(t); + NEED_OP(t, 0); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
146
147
148
149
150
151
152
153
154
155
ip += next; continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe); } } else
+ show +
156
157
158
159
160
161
162
#endif { unsigned char *oe = op + t; NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2;
+ show +
163
164
165
166
167
168
169
170
171
172
m_pos += 2; do { *op++ = *m_pos++; } while (op < oe); } match_next: state = next; t = next; #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (likely(HAVE_IP(6) && HAVE_OP(4))) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_1mo_1415102949_lzo1x_decompress_safe.c
165
166
167
168
169
170
171
172
173
174
ip += next; continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe); } } else
+ show +
175
176
177
178
179
180
181
#endif { unsigned char *oe = op + t; NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2;
+ show +
182
183
184
185
186
187
188
189
190
191
m_pos += 2; do { *op++ = *m_pos++; } while (op < oe); } match_next: state = next; t = next; #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (likely(HAVE_IP(6) && HAVE_OP(4))) {
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_6mo_1547206229_lzo1x_decompress_safe.c
165
166
167
168
169
170
171
172
173
174
ip += next; continue; } } else { NEED_OP(t); do { *op++ = *m_pos++; } while (op < oe); } } else
+ show +
175
176
177
178
179
180
181
#endif { unsigned char *oe = op + t; NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2;
+ show +
182
183
184
185
186
187
188
189
190
191
m_pos += 2; do { *op++ = *m_pos++; } while (op < oe); } match_next: state = next; t = next; #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (likely(HAVE_IP(6) && HAVE_OP(4))) {

[xen_CVE-2014-4607_1404398370_lzo1x_decompress_safe.diff] lzo1x_decompress_safe_OLD.c #11
state = next; t = next; #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) - if (likely(HAVE_IP(6) && HAVE_OP(4))) { + if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) { COPY4(op, ip); op += t; ip += t; } else #endif { - NEED_IP(t + 3); - NEED_OP(t); + NEED_IP(t, 3); + NEED_OP(t, 0); while (t > 0) { *op++ = *ip++; t--;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4607_before_imd_1404398286_lzo1x_decompress_safe.c
159
160
161
162
163
164
165
166
167
168
NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2; m_pos += 2; do { *op++ = *m_pos++; } while (op < oe); } match_next:
+ show +
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
state = next; t = next; #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (likely(HAVE_IP(6) && HAVE_OP(4))) { COPY4(op, ip); op += t; ip += t; } else #endif { NEED_IP(t + 3); NEED_OP(t); while (t > 0) { *op++ = *ip++; t--;
+ show +
184
185
186
187
188
189
190
191
192
193
} } } eof_found: *out_len = op - out; return (t != 3 ? LZO_E_ERROR : ip == ip_end ? LZO_E_OK : ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN);
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_1mo_1415102949_lzo1x_decompress_safe.c
178
179
180
181
182
183
184
185
186
187
NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2; m_pos += 2; do { *op++ = *m_pos++; } while (op < oe); } match_next:
+ show +
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
state = next; t = next; #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (likely(HAVE_IP(6) && HAVE_OP(4))) { COPY4(op, ip); op += t; ip += t; } else #endif { NEED_IP(t + 3); NEED_OP(t); while (t > 0) { *op++ = *ip++; t--;
+ show +
203
204
205
206
207
208
209
210
211
212
} } } eof_found: *out_len = op - out; return (t != 3 ? LZO_E_ERROR : ip == ip_end ? LZO_E_OK : ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN);
.\cloneFuncs\totalClone\Type-3\CVE-2014-4607_after_6mo_1547206229_lzo1x_decompress_safe.c
178
179
180
181
182
183
184
185
186
187
NEED_OP(t); op[0] = m_pos[0]; op[1] = m_pos[1]; op += 2; m_pos += 2; do { *op++ = *m_pos++; } while (op < oe); } match_next:
+ show +
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
state = next; t = next; #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) if (likely(HAVE_IP(6) && HAVE_OP(4))) { COPY4(op, ip); op += t; ip += t; } else #endif { NEED_IP(t + 3); NEED_OP(t); while (t > 0) { *op++ = *ip++; t--;
+ show +
203
204
205
206
207
208
209
210
211
212
} } } eof_found: *out_len = op - out; return (t != 3 ? LZO_E_ERROR : ip == ip_end ? LZO_E_OK : ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN);

[xen_CVE-2014-4611_1407152583_lz4_uncompress.diff] lz4_uncompress_OLD.c #1
ip += length; break; /* EOF */ } + if (unlikely((unsigned long)cpy < (unsigned long)op)) + goto _output_error; LZ4_WILDCOPY(ip, op, cpy); ip -= (op - cpy); op = cpy;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4611_before_imd_1381131635_lz4_uncompress.c
31
32
33
34
35
36
37
38
39
40
cpy = op + length; if (unlikely(cpy > oend - COPYLENGTH)) { /* * Error: not enough place for another match * (min 4) + 5 literals */ if (cpy != oend) goto _output_error; memcpy(op, ip, length);
+ show +
41
42
43
44
45
46
ip += length; break; /* EOF */ } LZ4_WILDCOPY(ip, op, cpy); ip -= (op - cpy); op = cpy;
+ show +
47
48
49
50
51
52
53
54
55
56
/* get offset */ LZ4_READ_LITTLEENDIAN_16(ref, cpy, ip); ip += 2; /* Error: offset create reference outside destination buffer */ if (unlikely(ref < (BYTE *const) dest)) goto _output_error; /* get matchlength */

[xen_CVE-2014-4611_1407152583_lz4_uncompress.diff] lz4_uncompress_OLD.c #2
goto _output_error; continue; } + if (unlikely((unsigned long)cpy < (unsigned long)op)) + goto _output_error; LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ }
.\cloneFuncs\totalClone\Type-1\CVE-2014-4611_before_imd_1381131635_lz4_uncompress.c
89
90
91
92
93
94
95
96
97
98
goto _output_error; LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); while (op < cpy) *op++ = *ref++; op = cpy; /* * Check EOF (should never happen, since last 5 bytes * are supposed to be literals) */ if (op == oend)
+ show +
99
100
101
102
103
104
goto _output_error; continue; } LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ }
+ show +
105
106
107
108
109
110
111
/* end of decoding */ return (int) (ip - source); /* write overflow error detected */ _output_error: return (int) (-(ip - source)); }
.\cloneFuncs\totalClone\Type-1\CVE-2014-4611_before_imd_1381131635_lz4_uncompress_unknownoutputsize.c
103
104
105
106
107
108
109
110
111
112
LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); while (op < cpy) *op++ = *ref++; op = cpy; /* * Check EOF (should never happen, since last 5 bytes * are supposed to be literals) */ if (op == oend)
+ show +
113
114
115
116
117
118
goto _output_error; continue; } LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ }
+ show +
119
120
121
122
123
124
125
/* end of decoding */ return (int) (op - dest); /* write overflow error detected */ _output_error: return (int) (-(ip - source)); }

[xen_CVE-2014-4611_1407152583_lz4_uncompress_unknownoutputsize.diff] lz4_uncompress_unknownoutputsize_OLD.c #2
goto _output_error; continue; } + if (unlikely((unsigned long)cpy < (unsigned long)op)) + goto _output_error; LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ }
.\cloneFuncs\totalClone\Type-1\CVE-2014-4611_before_imd_1381131635_lz4_uncompress.c
89
90
91
92
93
94
95
96
97
98
goto _output_error; LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); while (op < cpy) *op++ = *ref++; op = cpy; /* * Check EOF (should never happen, since last 5 bytes * are supposed to be literals) */ if (op == oend)
+ show +
99
100
101
102
103
104
goto _output_error; continue; } LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ }
+ show +
105
106
107
108
109
110
111
/* end of decoding */ return (int) (ip - source); /* write overflow error detected */ _output_error: return (int) (-(ip - source)); }
.\cloneFuncs\totalClone\Type-1\CVE-2014-4611_before_imd_1381131635_lz4_uncompress_unknownoutputsize.c
103
104
105
106
107
108
109
110
111
112
LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); while (op < cpy) *op++ = *ref++; op = cpy; /* * Check EOF (should never happen, since last 5 bytes * are supposed to be literals) */ if (op == oend)
+ show +
113
114
115
116
117
118
goto _output_error; continue; } LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ }
+ show +
119
120
121
122
123
124
125
/* end of decoding */ return (int) (op - dest); /* write overflow error detected */ _output_error: return (int) (-(ip - source)); }

[xen_CVE-2014-4611_1407152583_lz4_uncompress_unknownoutputsize.diff] lz4_uncompress_unknownoutputsize_OLD.c #1
op += length; break;/* Necessarily EOF, due to parsing restrictions */ } + if (unlikely((unsigned long)cpy < (unsigned long)op)) + goto _output_error; LZ4_WILDCOPY(ip, op, cpy); ip -= (op - cpy); op = cpy;
.\cloneFuncs\totalClone\Type-1\CVE-2014-4611_before_imd_1381131635_lz4_uncompress_unknownoutputsize.c
40
41
42
43
44
45
46
47
48
49
if (cpy > oend) goto _output_error;/* writes beyond buffer */ if (ip + length != iend) goto _output_error;/* * Error: LZ4 format requires * to consume all input * at this stage */ memcpy(op, ip, length);
+ show +
50
51
52
53
54
55
op += length; break;/* Necessarily EOF, due to parsing restrictions */ } LZ4_WILDCOPY(ip, op, cpy); ip -= (op - cpy); op = cpy;
+ show +
56
57
58
59
60
61
62
63
64
65
/* get offset */ LZ4_READ_LITTLEENDIAN_16(ref, cpy, ip); ip += 2; if (ref < (BYTE * const) dest) goto _output_error; /* * Error : offset creates reference * outside of destination buffer */

[linux_CVE-2014-5207_1466718065_check_nnp_nosuid.diff] check_nnp_nosuid_OLD.c #1
const struct task_security_struct *new_tsec) { int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); - int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID); + int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); int rc; if (!nnp && !nosuid)
.\cloneFuncs\totalClone\Type-1\CVE-2014-5207_before_1mo_1463521263_check_nnp_nosuid.c
1
2
static int check_nnp_nosuid(const struct linux_binprm *bprm, const struct task_security_struct *old_tsec,
+ show +
3
4
5
6
7
8
9
const struct task_security_struct *new_tsec) { int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID); int rc; if (!nnp && !nosuid)
+ show +
10
11
12
13
14
15
16
17
18
19
return 0; /* neither NNP nor nosuid */ if (new_tsec->sid == old_tsec->sid) return 0; /* No change in credentials */ /* * The only transitions we permit under NNP or nosuid * are transitions to bounded SIDs, i.e. SIDs that are * guaranteed to only be allowed a subset of the permissions * of the current SID.

[xen_CVE-2014-7188_1412168087_hvm_msr_read_intercept.diff] hvm_msr_read_intercept_OLD.c #1
*msr_content = vcpu_vlapic(v)->hw.apic_base_msr; break; - case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: + case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: if ( hvm_x2apic_msr_read(v, msr, msr_content) ) goto gp_fault; break;
.\cloneFuncs\totalClone\Type-1\CVE-2014-7188_before_1mo_1409307762_hvm_msr_read_intercept.c
24
25
26
27
28
29
30
31
32
33
case MSR_IA32_TSC_ADJUST: *msr_content = hvm_get_guest_tsc_adjust(v); break; case MSR_TSC_AUX: *msr_content = hvm_msr_tsc_aux(v); break; case MSR_IA32_APICBASE:
+ show +
34
35
36
37
38
39
40
*msr_content = vcpu_vlapic(v)->hw.apic_base_msr; break; case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: if ( hvm_x2apic_msr_read(v, msr, msr_content) ) goto gp_fault; break;
+ show +
41
42
43
44
45
46
47
48
49
50
case MSR_IA32_TSC_DEADLINE: *msr_content = vlapic_tdt_msr_get(vcpu_vlapic(v)); break; case MSR_IA32_CR_PAT: hvm_get_guest_pat(v, msr_content); break; case MSR_MTRRcap:
.\cloneFuncs\totalClone\Type-2\CVE-2014-7188_after_6mo_1427404013_hvm_msr_read_intercept.c
24
25
26
27
28
29
30
31
32
33
case MSR_IA32_TSC_ADJUST: *msr_content = hvm_get_guest_tsc_adjust(v); break; case MSR_TSC_AUX: *msr_content = hvm_msr_tsc_aux(v); break; case MSR_IA32_APICBASE:
+ show +
34
35
36
37
38
39
40
*msr_content = vcpu_vlapic(v)->hw.apic_base_msr; break; case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: if ( hvm_x2apic_msr_read(v, msr, msr_content) ) goto gp_fault; break;
+ show +
41
42
43
44
45
46
47
48
49
50
case MSR_IA32_TSC_DEADLINE: *msr_content = vlapic_tdt_msr_get(vcpu_vlapic(v)); break; case MSR_IA32_CR_PAT: hvm_get_guest_pat(v, msr_content); break; case MSR_MTRRcap:

[xen_CVE-2014-7188_1412168087_hvm_msr_write_intercept.diff] hvm_msr_write_intercept_OLD.c #1
vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); break; - case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: + case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: if ( hvm_x2apic_msr_write(v, msr, msr_content) ) goto gp_fault; break;
.\cloneFuncs\totalClone\Type-1\CVE-2014-7188_before_imd_1412156226_hvm_msr_write_intercept.c
34
35
36
37
38
39
40
41
42
43
&& (v->domain->arch.tsc_mode != TSC_MODE_PVRDTSCP) ) wrmsrl(MSR_TSC_AUX, (uint32_t)msr_content); break; case MSR_IA32_APICBASE: if ( !vlapic_msr_set(vcpu_vlapic(v), msr_content) ) goto gp_fault; break; case MSR_IA32_TSC_DEADLINE:
+ show +
44
45
46
47
48
49
50
vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); break; case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: if ( hvm_x2apic_msr_write(v, msr, msr_content) ) goto gp_fault; break;
+ show +
51
52
53
54
55
56
57
58
59
60
case MSR_IA32_CR_PAT: if ( !hvm_set_guest_pat(v, msr_content) ) goto gp_fault; break; case MSR_MTRRcap: if ( !mtrr ) goto gp_fault; goto gp_fault;
.\cloneFuncs\totalClone\Type-3\CVE-2014-7188_after_6mo_1427404013_hvm_msr_write_intercept.c
35
36
37
38
39
40
41
42
43
44
wrmsrl(MSR_TSC_AUX, (uint32_t)msr_content); break; case MSR_IA32_APICBASE: if ( unlikely(is_pvh_vcpu(v)) || !vlapic_msr_set(vcpu_vlapic(v), msr_content) ) goto gp_fault; break; case MSR_IA32_TSC_DEADLINE:
+ show +
45
46
47
48
49
50
51
vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); break; case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: if ( hvm_x2apic_msr_write(v, msr, msr_content) ) goto gp_fault; break;
+ show +
52
53
54
55
56
57
58
59
60
61
case MSR_IA32_CR_PAT: if ( !hvm_set_guest_pat(v, msr_content) ) goto gp_fault; break; case MSR_MTRRcap: if ( !mtrr ) goto gp_fault; goto gp_fault;
.\cloneFuncs\totalClone\Type-3\CVE-2014-7188_before_1mo_1409307762_hvm_msr_write_intercept.c
33
34
35
36
37
38
39
40
41
42
if ( cpu_has_rdtscp && (v->domain->arch.tsc_mode != TSC_MODE_PVRDTSCP) ) wrmsrl(MSR_TSC_AUX, (uint32_t)msr_content); break; case MSR_IA32_APICBASE: vlapic_msr_set(vcpu_vlapic(v), msr_content); break; case MSR_IA32_TSC_DEADLINE:
+ show +
43
44
45
46
47
48
49
vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); break; case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: if ( hvm_x2apic_msr_write(v, msr, msr_content) ) goto gp_fault; break;
+ show +
50
51
52
53
54
55
56
57
58
59
case MSR_IA32_CR_PAT: if ( !hvm_set_guest_pat(v, msr_content) ) goto gp_fault; break; case MSR_MTRRcap: if ( !mtrr ) goto gp_fault; goto gp_fault;

[qemu_CVE-2014-7815_1414410104_set_pixel_format.diff] set_pixel_format_OLD.c #1
return; } + switch (bits_per_pixel) { + case 8: + case 16: + case 32: + break; + default: + vnc_client_error(vs); + return; + } + vs->client_pf.rmax = red_max; vs->client_pf.rbits = hweight_long(red_max); vs->client_pf.rshift = red_shift;
.\cloneFuncs\totalClone\Type-1\CVE-2014-7815_after_1mo_1404717499_set_pixel_format.c
9
10
11
12
13
14
15
16
17
18
return; } switch (bits_per_pixel) { case 8: case 16: case 32: break; default: vnc_client_error(vs);
+ show +
19
20
21
22
23
24
return; } vs->client_pf.rmax = red_max; vs->client_pf.rbits = hweight_long(red_max); vs->client_pf.rshift = red_shift;
+ show +
25
26
27
28
29
30
31
32
33
34
vs->client_pf.rmask = red_max << red_shift; vs->client_pf.gmax = green_max; vs->client_pf.gbits = hweight_long(green_max); vs->client_pf.gshift = green_shift; vs->client_pf.gmask = green_max << green_shift; vs->client_pf.bmax = blue_max; vs->client_pf.bbits = hweight_long(blue_max); vs->client_pf.bshift = blue_shift; vs->client_pf.bmask = blue_max << blue_shift; vs->client_pf.bits_per_pixel = bits_per_pixel;
.\cloneFuncs\totalClone\Type-1\CVE-2014-7815_before_1mo_1406109122_set_pixel_format.c
1
2
3
4
5
6
7
8
static void set_pixel_format(VncState *vs, int bits_per_pixel, int depth, int big_endian_flag, int true_color_flag, int red_max, int green_max, int blue_max, int red_shift, int green_shift, int blue_shift) { if (!true_color_flag) { vnc_client_error(vs);
+ show +
9
10
11
12
13
14
return; } vs->client_pf.rmax = red_max; vs->client_pf.rbits = hweight_long(red_max); vs->client_pf.rshift = red_shift;
+ show +
15
16
17
18
19
20
21
22
23
24
vs->client_pf.rmask = red_max << red_shift; vs->client_pf.gmax = green_max; vs->client_pf.gbits = hweight_long(green_max); vs->client_pf.gshift = green_shift; vs->client_pf.gmask = green_max << green_shift; vs->client_pf.bmax = blue_max; vs->client_pf.bbits = hweight_long(blue_max); vs->client_pf.bshift = blue_shift; vs->client_pf.bmask = blue_max << blue_shift; vs->client_pf.bits_per_pixel = bits_per_pixel;
.\cloneFuncs\totalClone\Type-2\CVE-2014-7815_after_6mo_1428516252_set_pixel_format.c
9
10
11
12
13
14
15
16
17
18
return; } switch (bits_per_pixel) { case 8: case 16: case 32: break; default: vnc_client_error(vs);
+ show +
19
20
21
22
23
24
return; } vs->client_pf.rmax = red_max; vs->client_pf.rbits = hweight_long(red_max); vs->client_pf.rshift = red_shift;
+ show +
25
26
27
28
29
30
31
32
33
34
vs->client_pf.rmask = red_max << red_shift; vs->client_pf.gmax = green_max; vs->client_pf.gbits = hweight_long(green_max); vs->client_pf.gshift = green_shift; vs->client_pf.gmask = green_max << green_shift; vs->client_pf.bmax = blue_max; vs->client_pf.bbits = hweight_long(blue_max); vs->client_pf.bshift = blue_shift; vs->client_pf.bmask = blue_max << blue_shift; vs->client_pf.bits_per_pixel = bits_per_pixel;

[qemu_CVE-2014-7840_1415785479_host_from_stream_offset.diff] host_from_stream_offset_OLD.c #1
uint8_t len; if (flags & RAM_SAVE_FLAG_CONTINUE) { - if (!block) { + if (!block || block->length <= offset) { error_report("Ack, bad migration stream!"); return NULL; }
.\cloneFuncs\totalClone\Type-1\CVE-2014-7840_before_1mo_1411764327_host_from_stream_offset.c
1
2
3
4
5
6
static inline void *host_from_stream_offset(QEMUFile *f, ram_addr_t offset, int flags) { static RAMBlock *block = NULL; char id[256];
+ show +
7
8
9
10
11
12
13
uint8_t len; if (flags & RAM_SAVE_FLAG_CONTINUE) { if (!block) { error_report("Ack, bad migration stream!"); return NULL; }
+ show +
14
15
16
17
18
19
20
21
22
23
return memory_region_get_ram_ptr(block->mr) + offset; } len = qemu_get_byte(f); qemu_get_buffer(f, (uint8_t *)id, len); id[len] = 0; QTAILQ_FOREACH(block, &ram_list.blocks, next) { if (!strncmp(id, block->idstr, sizeof(id)))

[linux_CVE-2014-7975_1412796767_do_umount.diff] do_umount_OLD.c #1
* Special case for "unmounting" root ... * we just try to remount it readonly. */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; down_write(&sb->s_umount); if (!(sb->s_flags & MS_RDONLY)) retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
.\cloneFuncs\totalClone\Type-1\CVE-2014-7975_before_1mo_1408388966_do_umount.c
51
52
53
54
55
56
57
58
59
60
* No sense to grab the lock for this test, but test itself looks * somewhat bogus. Suggestions for better replacement? * Ho-hum... In principle, we might treat that as umount + switch * to rootfs. GC would eventually take care of the old vfsmount. * Actually it makes sense, especially if rootfs would contain a * /reboot - static binary that would close all descriptors and * call reboot(9). Then init(8) could umount root and exec /reboot. */ if (&mnt->mnt == current->fs->root.mnt && !(flags & MNT_DETACH)) { /*
+ show +
61
62
63
64
65
66
* Special case for "unmounting" root ... * we just try to remount it readonly. */ down_write(&sb->s_umount); if (!(sb->s_flags & MS_RDONLY)) retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
+ show +
67
68
69
70
71
72
73
74
75
76
up_write(&sb->s_umount); return retval; } namespace_lock(); lock_mount_hash(); event++; if (flags & MNT_DETACH) { if (!list_empty(&mnt->mnt_list))

[qemu_CVE-2014-8106_1416400048_blit_is_unsafe.diff] blit_is_unsafe_OLD.c #1
assert(s->cirrus_blt_width > 0); assert(s->cirrus_blt_height > 0); + if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) { + return true; + } + if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { return true;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8106_before_imd_1416393462_blit_is_unsafe.c
1
2
3
static bool blit_is_unsafe(struct CirrusVGAState *s) { /* should be the case, see cirrus_bitblt_start */
+ show +
4
5
6
7
8
9
assert(s->cirrus_blt_width > 0); assert(s->cirrus_blt_height > 0); if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { return true;
+ show +
10
11
12
13
14
15
16
17
} if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { return true; } return false; }

[libtiff_CVE-2018-10963_1526127855_TIFFWriteDirectorySec.diff] TIFFWriteDirectorySec_OLD.c #1
} break; default: - assert(0); /* we should never get here */ - break; + TIFFErrorExt(tif->tif_clientdata,module, + "Cannot write tag %d (%s)", + TIFFFieldTag(o), + o->field_name ? o->field_name : "unknown"); + goto bad; } } }
.\cloneFuncs\totalClone\Type-1\CVE-2014-8127_after_1mo_1484150942_TIFFWriteDirectorySec.c
325
326
327
328
329
330
331
332
333
334
case TIFF_SETGET_C32_UINT8: { uint32 pa; void* pb; assert(o->field_type==TIFF_UNDEFINED); assert(o->field_readcount==TIFF_VARIABLE2); assert(o->field_passcount==1); TIFFGetField(tif,o->field_tag,&pa,&pb); if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) goto bad;
+ show +
335
336
337
338
339
340
341
342
} break; default: assert(0); /* we should never get here */ break; } } }
+ show +
343
344
345
346
347
348
349
350
351
352
} } for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++) { uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag; uint32 count = tif->tif_dir.td_customValues[m].count; switch (tif->tif_dir.td_customValues[m].info->field_type) { case TIFF_ASCII: if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-1\CVE-2014-8127_before_1mo_1450437060_TIFFWriteDirectorySec.c
313
314
315
316
317
318
319
320
321
322
case TIFF_SETGET_C32_UINT8: { uint32 pa; void* pb; assert(o->field_type==TIFF_UNDEFINED); assert(o->field_readcount==TIFF_VARIABLE2); assert(o->field_passcount==1); TIFFGetField(tif,o->field_tag,&pa,&pb); if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) goto bad;
+ show +
323
324
325
326
327
328
329
330
} break; default: assert(0); /* we should never get here */ break; } } }
+ show +
331
332
333
334
335
336
337
338
339
340
} } for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++) { uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag; uint32 count = tif->tif_dir.td_customValues[m].count; switch (tif->tif_dir.td_customValues[m].info->field_type) { case TIFF_ASCII: if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-1\CVE-2018-10963_before_1mo_1503495222_TIFFWriteDirectorySec.c
325
326
327
328
329
330
331
332
333
334
case TIFF_SETGET_C32_UINT8: { uint32 pa; void* pb; assert(o->field_type==TIFF_UNDEFINED); assert(o->field_readcount==TIFF_VARIABLE2); assert(o->field_passcount==1); TIFFGetField(tif,o->field_tag,&pa,&pb); if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) goto bad;
+ show +
335
336
337
338
339
340
341
342
} break; default: assert(0); /* we should never get here */ break; } } }
+ show +
343
344
345
346
347
348
349
350
351
352
} } for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++) { uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag; uint32 count = tif->tif_dir.td_customValues[m].count; switch (tif->tif_dir.td_customValues[m].info->field_type) { case TIFF_ASCII: if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-2\CVE-2014-8127_before_6mo_1448206263_TIFFWriteDirectorySec.c
313
314
315
316
317
318
319
320
321
322
case TIFF_SETGET_C32_UINT8: { uint32 pa; void* pb; assert(o->field_type==TIFF_UNDEFINED); assert(o->field_readcount==TIFF_VARIABLE2); assert(o->field_passcount==1); TIFFGetField(tif,o->field_tag,&pa,&pb); if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) goto bad;
+ show +
323
324
325
326
327
328
329
330
} break; default: assert(0); /* we should never get here */ break; } } }
+ show +
331
332
333
334
335
336
337
338
339
340
} } for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++) { uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag; uint32 count = tif->tif_dir.td_customValues[m].count; switch (tif->tif_dir.td_customValues[m].info->field_type) { case TIFF_ASCII: if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))

[libtiff_CVE-2014-8127_1477431315_TIFFWriteDirectorySec.diff] TIFFWriteDirectorySec_OLD.c #1
{ if (!isTiled(tif)) { - if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) - goto bad; + /* td_stripoffset might be NULL in an odd OJPEG case. See + * tif_dirread.c around line 3634. + * XXX: OJPEG hack. + * If a) compression is OJPEG, b) it's not a tiled TIFF, + * and c) the number of strips is 1, + * then we tolerate the absence of stripoffsets tag, + * because, presumably, all required data is in the + * JpegInterchangeFormat stream. + * We can get here when using tiffset on such a file. + * See http://bugzilla.maptools.org/show_bug.cgi?id=2500 + */ + if (tif->tif_dir.td_stripoffset != NULL && + !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) + goto bad; } else {
.\cloneFuncs\totalClone\Type-1\CVE-2014-8127_before_1mo_1450437060_TIFFWriteDirectorySec.c
171
172
173
174
175
176
177
178
179
180
if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPBYTECOUNTS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripbytecount)) goto bad; } else { if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_TILEBYTECOUNTS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripbytecount)) goto bad; } } if (TIFFFieldSet(tif,FIELD_STRIPOFFSETS))
+ show +
181
182
183
184
185
186
187
188
{ if (!isTiled(tif)) { if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) goto bad; } else {
+ show +
189
190
191
192
193
194
195
196
197
198
if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_TILEOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) goto bad; } } if (TIFFFieldSet(tif,FIELD_COLORMAP)) { if (!TIFFWriteDirectoryTagColormap(tif,&ndir,dir)) goto bad; } if (TIFFFieldSet(tif,FIELD_EXTRASAMPLES))
.\cloneFuncs\totalClone\Type-2\CVE-2014-8127_before_6mo_1448206263_TIFFWriteDirectorySec.c
171
172
173
174
175
176
177
178
179
180
if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPBYTECOUNTS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripbytecount)) goto bad; } else { if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_TILEBYTECOUNTS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripbytecount)) goto bad; } } if (TIFFFieldSet(tif,FIELD_STRIPOFFSETS))
+ show +
181
182
183
184
185
186
187
188
{ if (!isTiled(tif)) { if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) goto bad; } else {
+ show +
189
190
191
192
193
194
195
196
197
198
if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_TILEOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) goto bad; } } if (TIFFFieldSet(tif,FIELD_COLORMAP)) { if (!TIFFWriteDirectoryTagColormap(tif,&ndir,dir)) goto bad; } if (TIFFFieldSet(tif,FIELD_EXTRASAMPLES))

[libtiff_CVE-2014-8128_1425312998_fsdither.diff] fsdither_OLD.c #1
-static void +static int fsdither(TIFF* in, TIFF* out) { unsigned char *outline, *inputline, *inptr;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8128_before_1mo_1362540909_fsdither.c
+ show +
1
2
3
4
static void fsdither(TIFF* in, TIFF* out) { unsigned char *outline, *inputline, *inptr;
+ show +
5
6
7
8
9
10
11
12
13
14
short *thisline, *nextline, *tmpptr; register unsigned char *outptr; register short *thisptr, *nextptr; register uint32 i, j; uint32 imax, jmax; int lastline, lastpixel; int bit; tsize_t outlinesize; imax = imagelength - 1;

[libtiff_CVE-2014-8128_1425312998_fsdither.diff] fsdither_OLD.c #2
int lastline, lastpixel; int bit; tsize_t outlinesize; + int errcode = 0; imax = imagelength - 1; jmax = imagewidth - 1; inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); - thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); - nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); + thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short))); + nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short))); outlinesize = TIFFScanlineSize(out); outline = (unsigned char *) _TIFFmalloc(outlinesize); + if (! (inputline && thisline && nextline && outline)) { + fprintf(stderr, "Out of memory.\n"); + goto skip_on_error; + } /* * Get first line
.\cloneFuncs\totalClone\Type-1\CVE-2014-8128_before_1mo_1362540909_fsdither.c
1
2
3
4
5
6
7
8
9
static void fsdither(TIFF* in, TIFF* out) { unsigned char *outline, *inputline, *inptr; short *thisline, *nextline, *tmpptr; register unsigned char *outptr; register short *thisptr, *nextptr; register uint32 i, j; uint32 imax, jmax;
+ show +
10
11
12
13
14
15
16
17
18
19
20
21
22
23
int lastline, lastpixel; int bit; tsize_t outlinesize; imax = imagelength - 1; jmax = imagewidth - 1; inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); outlinesize = TIFFScanlineSize(out); outline = (unsigned char *) _TIFFmalloc(outlinesize); /* * Get first line
+ show +
24
25
26
27
28
29
30
31
32
33
*/ if (TIFFReadScanline(in, inputline, 0, 0) <= 0) goto skip_on_error; inptr = inputline; nextptr = nextline; for (j = 0; j < imagewidth; ++j) *nextptr++ = *inptr++; for (i = 1; i < imagelength; ++i) { tmpptr = thisline;

[libtiff_CVE-2014-8128_1425312998_fsdither.diff] fsdither_OLD.c #3
nextline = tmpptr; lastline = (i == imax); if (TIFFReadScanline(in, inputline, i, 0) <= 0) - break; + goto skip_on_error; inptr = inputline; nextptr = nextline; for (j = 0; j < imagewidth; ++j)
.\cloneFuncs\totalClone\Type-1\CVE-2014-8128_before_1mo_1362540909_fsdither.c
25
26
27
28
29
30
31
32
33
34
if (TIFFReadScanline(in, inputline, 0, 0) <= 0) goto skip_on_error; inptr = inputline; nextptr = nextline; for (j = 0; j < imagewidth; ++j) *nextptr++ = *inptr++; for (i = 1; i < imagelength; ++i) { tmpptr = thisline; thisline = nextline;
+ show +
35
36
37
38
39
40
41
nextline = tmpptr; lastline = (i == imax); if (TIFFReadScanline(in, inputline, i, 0) <= 0) break; inptr = inputline; nextptr = nextline; for (j = 0; j < imagewidth; ++j)
+ show +
42
43
44
45
46
47
48
49
50
51
*nextptr++ = *inptr++; thisptr = thisline; nextptr = nextline; _TIFFmemset(outptr = outline, 0, outlinesize); bit = 0x80; for (j = 0; j < imagewidth; ++j) { register int v; lastpixel = (j == jmax); v = *thisptr++;

[ffmpeg_CVE-2014-8541_1418586733_ff_mjpeg_decode_sof.diff] ff_mjpeg_decode_sof_OLD.c #1
int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id, ret; + int h_count[MAX_COMPONENTS] = { 0 }; + int v_count[MAX_COMPONENTS] = { 0 }; + int len, nb_components, i, width, height, bits, pix_fmt_id, ret; /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly - if (s->bits != 8 && !s->lossless) { + if (bits != 8 && !s->lossless) { av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); return -1; }
.\cloneFuncs\totalClone\Type-1\CVE-2014-8541_before_1mo_1390560916_ff_mjpeg_decode_sof.c
+ show +
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { int len, nb_components, i, width, height, pix_fmt_id, ret; /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); s->bits = get_bits(&s->gb, 8); if (s->pegasus_rct) s->bits = 9; if (s->bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly if (s->bits != 8 && !s->lossless) { av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); return -1; }
+ show +
18
19
20
21
22
23
24
25
26
27
height = get_bits(&s->gb, 16); width = get_bits(&s->gb, 16); // HACK for odd_height.mov if (s->interlaced && s->width == width && s->height == height + 1) height= s->height; av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height); if (av_image_check_size(width, height, 0, s->avctx))

[ffmpeg_CVE-2014-8541_1418586733_ff_mjpeg_decode_sof.diff] ff_mjpeg_decode_sof_OLD.c #2
return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray");
.\cloneFuncs\totalClone\Type-1\CVE-2014-8541_before_1mo_1390560916_ff_mjpeg_decode_sof.c
28
29
30
31
32
33
34
35
36
37
return AVERROR_INVALIDDATA; nb_components = get_bits(&s->gb, 8); if (nb_components <= 0 || nb_components > MAX_COMPONENTS) return -1; if (s->interlaced && (s->bottom_field == !s->interlace_polarity)) { if (nb_components != s->nb_components) { av_log(s->avctx, AV_LOG_ERROR, "nb_components changing in interlaced picture\n");
+ show +
38
39
40
41
42
43
44
return AVERROR_INVALIDDATA; } } if (s->ls && !(s->bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray");
+ show +
45
46
47
48
49
50
51
52
53
54
return AVERROR_PATCHWELCOME; } s->nb_components = nb_components; s->h_max = 1; s->v_max = 1; for (i = 0; i < nb_components; i++) { /* component id */ s->component_id[i] = get_bits(&s->gb, 8) - 1; s->h_count[i] = get_bits(&s->gb, 4); s->v_count[i] = get_bits(&s->gb, 4);

[ffmpeg_CVE-2014-8541_1418586733_ff_mjpeg_decode_sof.diff] ff_mjpeg_decode_sof_OLD.c #3
for (i = 0; i < nb_components; i++) { /* component id */ s->component_id[i] = get_bits(&s->gb, 8) - 1; - s->h_count[i] = get_bits(&s->gb, 4); - s->v_count[i] = get_bits(&s->gb, 4); + h_count[i] = get_bits(&s->gb, 4); + v_count[i] = get_bits(&s->gb, 4); /* compute hmax and vmax (only used in interleaved case) */ - if (s->h_count[i] > s->h_max) - s->h_max = s->h_count[i]; - if (s->v_count[i] > s->v_max) - s->v_max = s->v_count[i]; + if (h_count[i] > s->h_max) + s->h_max = h_count[i]; + if (v_count[i] > s->v_max) + s->v_max = v_count[i]; s->quant_index[i] = get_bits(&s->gb, 8); if (s->quant_index[i] >= 4) return AVERROR_INVALIDDATA; - if (!s->h_count[i] || !s->v_count[i]) { + if (!h_count[i] || !v_count[i]) { av_log(s->avctx, AV_LOG_ERROR, "Invalid sampling factor in component %d %d:%d\n", - i, s->h_count[i], s->v_count[i]); + i, h_count[i], v_count[i]); return AVERROR_INVALIDDATA; } av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n", - i, s->h_count[i], s->v_count[i], + i, h_count[i], v_count[i], s->component_id[i], s->quant_index[i]); }
.\cloneFuncs\totalClone\Type-1\CVE-2014-8541_before_1mo_1390560916_ff_mjpeg_decode_sof.c
40
41
42
43
44
45
46
47
48
49
} if (s->ls && !(s->bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray"); return AVERROR_PATCHWELCOME; } s->nb_components = nb_components; s->h_max = 1; s->v_max = 1;
+ show +
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
for (i = 0; i < nb_components; i++) { /* component id */ s->component_id[i] = get_bits(&s->gb, 8) - 1; s->h_count[i] = get_bits(&s->gb, 4); s->v_count[i] = get_bits(&s->gb, 4); /* compute hmax and vmax (only used in interleaved case) */ if (s->h_count[i] > s->h_max) s->h_max = s->h_count[i]; if (s->v_count[i] > s->v_max) s->v_max = s->v_count[i]; s->quant_index[i] = get_bits(&s->gb, 8); if (s->quant_index[i] >= 4) return AVERROR_INVALIDDATA; if (!s->h_count[i] || !s->v_count[i]) { av_log(s->avctx, AV_LOG_ERROR, "Invalid sampling factor in component %d %d:%d\n", i, s->h_count[i], s->v_count[i]); return AVERROR_INVALIDDATA; } av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n", i, s->h_count[i], s->v_count[i], s->component_id[i], s->quant_index[i]); }
+ show +
74
75
76
77
78
79
80
81
82
83
if (s->ls && (s->h_max > 1 || s->v_max > 1)) { avpriv_report_missing_feature(s->avctx, "Subsampling in JPEG-LS"); return AVERROR_PATCHWELCOME; } if (s->v_max == 1 && s->h_max == 1 && s->lossless == 1) s->rgb = 1; /* if different size, realloc/alloc picture */

[ffmpeg_CVE-2014-8541_1418586733_ff_mjpeg_decode_sof.diff] ff_mjpeg_decode_sof_OLD.c #4
s->rgb = 1; /* if different size, realloc/alloc picture */ - /* XXX: also check h_count and v_count */ - if (width != s->width || height != s->height) { + if (width != s->width || height != s->height || bits != s->bits || + memcmp(s->h_count, h_count, sizeof(h_count)) || + memcmp(s->v_count, v_count, sizeof(v_count))) { s->width = width; s->height = height; + s->bits = bits; + memcpy(s->h_count, h_count, sizeof(h_count)); + memcpy(s->v_count, v_count, sizeof(v_count)); s->interlaced = 0; /* test interlaced mode */
.\cloneFuncs\totalClone\Type-1\CVE-2014-8541_before_1mo_1390560916_ff_mjpeg_decode_sof.c
71
72
73
74
75
76
77
78
79
80
i, s->h_count[i], s->v_count[i], s->component_id[i], s->quant_index[i]); } if (s->ls && (s->h_max > 1 || s->v_max > 1)) { avpriv_report_missing_feature(s->avctx, "Subsampling in JPEG-LS"); return AVERROR_PATCHWELCOME; } if (s->v_max == 1 && s->h_max == 1 && s->lossless == 1)
+ show +
81
82
83
84
85
86
87
88
89
90
s->rgb = 1; /* if different size, realloc/alloc picture */ /* XXX: also check h_count and v_count */ if (width != s->width || height != s->height) { s->width = width; s->height = height; s->interlaced = 0; /* test interlaced mode */
+ show +
91
92
93
94
95
96
97
98
99
100
if (s->first_picture && s->org_height != 0 && s->height < ((s->org_height * 3) / 4)) { s->interlaced = 1; s->bottom_field = s->interlace_polarity; s->picture_ptr->interlaced_frame = 1; s->picture_ptr->top_field_first = !s->interlace_polarity; height *= 2; }

[ffmpeg_CVE-2014-8542_1418587319_decode_init.diff] decode_init_OLD.c #1
{ JvContext *s = avctx->priv_data; + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM);
.\cloneFuncs\totalClone\Type-1\CVE-2014-8542_before_imd_1389692027_decode_init.c
1
static av_cold int decode_init(AVCodecContext *avctx)
+ show +
2
3
4
5
6
7
{ JvContext *s = avctx->priv_data; s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM);
+ show +
8
9
10
11
12
avctx->pix_fmt = AV_PIX_FMT_PAL8; ff_blockdsp_init(&s->bdsp, avctx); return 0; }
.\cloneFuncs\totalClone\Type-2\CVE-2014-8542_before_1mo_1386941422_decode_init.c
1
static av_cold int decode_init(AVCodecContext *avctx)
+ show +
2
3
4
5
6
7
{ JvContext *s = avctx->priv_data; s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM);
+ show +
8
9
10
11
12
avctx->pix_fmt = AV_PIX_FMT_PAL8; ff_dsputil_init(&s->dsp, avctx); return 0; }

[ffmpeg_CVE-2014-8543_1418587319_mm_decode_init.diff] mm_decode_init_OLD.c #1
avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM);
.\cloneFuncs\totalClone\Type-1\CVE-2014-8543_before_1mo_1383988486_mm_decode_init.c
1
2
3
4
5
6
static av_cold int mm_decode_init(AVCodecContext *avctx) { MmContext *s = avctx->priv_data; s->avctx = avctx;
+ show +
7
8
9
10
11
avctx->pix_fmt = AV_PIX_FMT_PAL8; s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM);
+ show +
12
13
14
return 0; }

[ffmpeg_CVE-2014-8544_1425762419_init_image.diff] init_image_OLD.c #1
{ int ret; + // make sure there is no aliasing in the following switch + if (s->bpp >= 100 || s->bppcount >= 10) { + av_log(s->avctx, AV_LOG_ERROR, + "Unsupported image parameters: bpp=%d, bppcount=%d\n", + s->bpp, s->bppcount); + return AVERROR_INVALIDDATA; + } + switch (s->planar * 1000 + s->bpp * 10 + s->bppcount) { case 11: s->avctx->pix_fmt = AV_PIX_FMT_MONOBLACK;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8544_before_imd_1418824484_init_image.c
1
static int init_image(TiffContext *s, AVFrame *frame)
+ show +
2
3
4
5
6
7
{ int ret; switch (s->planar * 1000 + s->bpp * 10 + s->bppcount) { case 11: s->avctx->pix_fmt = AV_PIX_FMT_MONOBLACK;
+ show +
8
9
10
11
12
13
14
15
16
17
break; case 81: s->avctx->pix_fmt = s->palette_is_set ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_GRAY8; break; case 243: s->avctx->pix_fmt = AV_PIX_FMT_RGB24; break; case 161: s->avctx->pix_fmt = s->le ? AV_PIX_FMT_GRAY16LE : AV_PIX_FMT_GRAY16BE; break;

[ffmpeg_CVE-2014-8549_1412453707_on2avc_decode_init.diff] on2avc_decode_init_OLD.c #1
av_log(avctx, AV_LOG_ERROR, "0x500 version should be mono\n"); return AVERROR_INVALIDDATA; } + if (avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "Only 1 or 2 channels are supported.\n"); + return AVERROR(EINVAL); + } if (avctx->channels == 2) av_log(avctx, AV_LOG_WARNING, "Stereo mode support is not good, patch is welcome\n");
.\cloneFuncs\totalClone\Type-1\CVE-2014-8549_before_1mo_1400854824_on2avc_decode_init.c
3
4
5
6
7
8
9
10
11
12
On2AVCContext *c = avctx->priv_data; int i; c->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; avctx->channel_layout = (avctx->channels == 2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; c->is_av500 = (avctx->codec_tag == 0x500); if (c->is_av500 && avctx->channels == 2) {
+ show +
13
14
15
16
17
18
av_log(avctx, AV_LOG_ERROR, "0x500 version should be mono\n"); return AVERROR_INVALIDDATA; } if (avctx->channels == 2) av_log(avctx, AV_LOG_WARNING, "Stereo mode support is not good, patch is welcome\n");
+ show +
19
20
21
22
23
24
25
26
27
28
for (i = 0; i < 20; i++) c->scale_tab[i] = ceil(pow(10.0, i * 0.1) * 16) / 32; for (; i < 128; i++) c->scale_tab[i] = ceil(pow(10.0, i * 0.1) * 0.5); if (avctx->sample_rate < 32000 || avctx->channels == 1) memcpy(c->long_win, ff_on2avc_window_long_24000, 1024 * sizeof(*c->long_win)); else
.\cloneFuncs\totalClone\Type-3\CVE-2014-8549_after_1mo_1419030973_on2avc_decode_init.c
8
9
10
11
12
13
14
15
16
17
return AVERROR_PATCHWELCOME; } c->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; avctx->channel_layout = (avctx->channels == 2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; c->is_av500 = (avctx->codec_tag == 0x500); if (c->is_av500 && avctx->channels == 2) {
+ show +
18
19
20
21
22
23
24
av_log(avctx, AV_LOG_ERROR, "0x500 version should be mono\n"); return AVERROR_INVALIDDATA; } if (avctx->channels == 2) av_log(avctx, AV_LOG_WARNING, "Stereo mode support is not good, patch is welcome\n");
+ show +
25
26
27
28
29
30
31
32
33
34
for (i = 0; i < 20; i++) c->scale_tab[i] = ceil(pow(10.0, i * 0.1) * 16) / 32; for (; i < 128; i++) c->scale_tab[i] = ceil(pow(10.0, i * 0.1) * 0.5); if (avctx->sample_rate < 32000 || avctx->channels == 1) memcpy(c->long_win, ff_on2avc_window_long_24000, 1024 * sizeof(*c->long_win)); else

[xen_CVE-2016-9386_1479818690_protmode_load_seg.diff] protmode_load_seg_OLD.c #1
&desctab, ctxt)) ) return rc; + /* Segment not valid for use (cooked meaning of .p)? */ + if ( !desctab.attr.fields.p ) + goto raise_exn; + /* Check against descriptor table limit. */ if ( ((sel & 0xfff8) + 7) > desctab.limit ) goto raise_exn;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_after_1mo_1421073672_protmode_load_seg.c
19
20
21
22
23
24
25
26
27
28
memset(&segr, 0, sizeof(segr)); return ops->write_segment(seg, &segr, ctxt); } /* System segment descriptors must reside in the GDT. */ if ( !is_x86_user_segment(seg) && (sel & 4) ) goto raise_exn; if ( (rc = ops->read_segment(x86_seg_ss, &ss, ctxt)) || (rc = ops->read_segment((sel & 4) ? x86_seg_ldtr : x86_seg_gdtr,
+ show +
29
30
31
32
33
34
&desctab, ctxt)) ) return rc; /* Check against descriptor table limit. */ if ( ((sel & 0xfff8) + 7) > desctab.limit ) goto raise_exn;
+ show +
35
36
37
38
39
40
41
42
43
44
if ( (rc = ops->read(x86_seg_none, desctab.base + (sel & 0xfff8), &desc, sizeof(desc), ctxt)) ) return rc; /* Segment present in memory? */ if ( !(desc.b & (1u<<15)) ) { fault_type = EXC_NP; goto raise_exn;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_1mo_1411978847_protmode_load_seg.c
19
20
21
22
23
24
25
26
27
28
memset(&segr, 0, sizeof(segr)); return ops->write_segment(seg, &segr, ctxt); } /* System segment descriptors must reside in the GDT. */ if ( !is_x86_user_segment(seg) && (sel & 4) ) goto raise_exn; if ( (rc = ops->read_segment(x86_seg_ss, &ss, ctxt)) || (rc = ops->read_segment((sel & 4) ? x86_seg_ldtr : x86_seg_gdtr,
+ show +
29
30
31
32
33
34
&desctab, ctxt)) ) return rc; /* Check against descriptor table limit. */ if ( ((sel & 0xfff8) + 7) > desctab.limit ) goto raise_exn;
+ show +
35
36
37
38
39
40
41
42
43
44
if ( (rc = ops->read(x86_seg_none, desctab.base + (sel & 0xfff8), &desc, sizeof(desc), ctxt)) ) return rc; /* Segment present in memory? */ if ( !(desc.b & (1u<<15)) ) { fault_type = EXC_NP; goto raise_exn;
.\cloneFuncs\totalClone\Type-1\CVE-2016-9386_before_1mo_1476446956_protmode_load_seg.c
33
34
35
36
37
38
39
40
41
42
memset(sreg, 0, sizeof(*sreg)); sreg->sel = sel; return X86EMUL_OKAY; } /* System segment descriptors must reside in the GDT. */ if ( !is_x86_user_segment(seg) && (sel & 4) ) goto raise_exn; if ( (rc = ops->read_segment((sel & 4) ? x86_seg_ldtr : x86_seg_gdtr,
+ show +
43
44
45
46
47
48
&desctab, ctxt)) ) return rc; /* Check against descriptor table limit. */ if ( ((sel & 0xfff8) + 7) > desctab.limit ) goto raise_exn;
+ show +
49
50
51
52
53
54
55
56
57
58
if ( (rc = ops->read(x86_seg_none, desctab.base + (sel & 0xfff8), &desc, sizeof(desc), ctxt)) ) return rc; if ( !is_x86_user_segment(seg) ) { /* System segments must have S flag == 0. */ if ( desc.b & (1u << 12) ) goto raise_exn;
.\cloneFuncs\totalClone\Type-3\CVE-2016-9386_before_6mo_1463652393_protmode_load_seg.c
20
21
22
23
24
25
26
27
28
29
memset(sreg, 0, sizeof(*sreg)); return X86EMUL_OKAY; } /* System segment descriptors must reside in the GDT. */ if ( !is_x86_user_segment(seg) && (sel & 4) ) goto raise_exn; if ( (rc = ops->read_segment(x86_seg_ss, &ss, ctxt)) || (rc = ops->read_segment((sel & 4) ? x86_seg_ldtr : x86_seg_gdtr,
+ show +
30
31
32
33
34
35
&desctab, ctxt)) ) return rc; /* Check against descriptor table limit. */ if ( ((sel & 0xfff8) + 7) > desctab.limit ) goto raise_exn;
+ show +
36
37
38
39
40
41
42
43
44
45
if ( (rc = ops->read(x86_seg_none, desctab.base + (sel & 0xfff8), &desc, sizeof(desc), ctxt)) ) return rc; /* Segment present in memory? */ if ( !(desc.b & (1u<<15)) ) { fault_type = EXC_NP; goto raise_exn;

[xen_CVE-2014-8595_1416316583_load_seg.diff] load_seg_OLD.c #1
static int load_seg( enum x86_segment seg, - uint16_t sel, + uint16_t sel, bool_t is_ret, struct x86_emulate_ctxt *ctxt, const struct x86_emulate_ops *ops) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_1mo_1411978847_load_seg.c
+ show +
1
2
3
4
5
6
7
static int load_seg( enum x86_segment seg, uint16_t sel, struct x86_emulate_ctxt *ctxt, const struct x86_emulate_ops *ops) {
+ show +
8
9
10
11
12
13
14
15
16
if ( (ops->read_segment == NULL) || (ops->write_segment == NULL) ) return X86EMUL_UNHANDLEABLE; if ( in_protmode(ctxt, ops) ) return protmode_load_seg(seg, sel, ctxt, ops); return realmode_load_seg(seg, sel, ctxt, ops); }

[xen_CVE-2014-8595_1416316583_protmode_load_seg.diff] protmode_load_seg_OLD.c #1
static int protmode_load_seg( enum x86_segment seg, - uint16_t sel, + uint16_t sel, bool_t is_ret, struct x86_emulate_ctxt *ctxt, const struct x86_emulate_ops *ops) {
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_1mo_1411978847_protmode_load_seg.c
+ show +
1
2
3
4
5
6
7
static int protmode_load_seg( enum x86_segment seg, uint16_t sel, struct x86_emulate_ctxt *ctxt, const struct x86_emulate_ops *ops) {
+ show +
8
9
10
11
12
13
14
15
16
17
struct segment_register desctab, ss, segr; struct { uint32_t a, b; } desc; uint8_t dpl, rpl, cpl; uint32_t new_desc_b, a_flag = 0x100; int rc, fault_type = EXC_GP; /* NULL selector? */ if ( (sel & 0xfffc) == 0 ) { if ( (seg == x86_seg_cs) || (seg == x86_seg_ss) )

[xen_CVE-2014-8595_1416316583_protmode_load_seg.diff] protmode_load_seg_OLD.c #2
/* Code segment? */ if ( !(desc.b & (1u<<11)) ) goto raise_exn; - /* Non-conforming segment: check DPL against RPL. */ - if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) ) + if ( is_ret + ? /* + * Really rpl < cpl, but our sole caller doesn't handle + * privilege level changes. + */ + rpl != cpl || (desc.b & (1 << 10) ? dpl > rpl : dpl != rpl) + : desc.b & (1 << 10) + /* Conforming segment: check DPL against CPL. */ + ? dpl > cpl + /* Non-conforming segment: check RPL and DPL against CPL. */ + : rpl > cpl || dpl != cpl ) goto raise_exn; + /* 64-bit code segments (L bit set) must have D bit clear. */ + if ( in_longmode(ctxt, ops) && + (desc.b & (1 << 21)) && (desc.b & (1 << 22)) ) + goto raise_exn; + sel = (sel ^ rpl) | cpl; break; case x86_seg_ss: /* Writable data segment? */
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_1mo_1411978847_protmode_load_seg.c
57
58
59
60
61
62
63
64
65
66
else if ( !(desc.b & (1u << 12)) ) goto raise_exn; dpl = (desc.b >> 13) & 3; rpl = sel & 3; cpl = ss.attr.fields.dpl; switch ( seg ) { case x86_seg_cs:
+ show +
67
68
69
70
71
72
73
74
75
/* Code segment? */ if ( !(desc.b & (1u<<11)) ) goto raise_exn; /* Non-conforming segment: check DPL against RPL. */ if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) ) goto raise_exn; break; case x86_seg_ss: /* Writable data segment? */
+ show +
76
77
78
79
80
81
82
83
84
85
if ( (desc.b & (5u<<9)) != (1u<<9) ) goto raise_exn; if ( (dpl != cpl) || (dpl != rpl) ) goto raise_exn; break; case x86_seg_ldtr: /* LDT system segment? */ if ( (desc.b & (15u<<8)) != (2u<<8) ) goto raise_exn; goto skip_accessed_flag;

[xen_CVE-2014-8595_1416316583_x86_emulate.diff] x86_emulate_OLD.c #8
goto done; } - if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) + if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) goto done; _regs.eip = src.val;
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
if ( (modrm_reg & 7) == 3 ) /* call */ { struct segment_register reg; fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &_regs.eip, op_bytes, ctxt)) )
+ show +
2280
2281
2282
2283
2284
2285
goto done; } if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = src.val;
+ show +
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
dst.type = OP_NONE; break; } case 6: /* push */ goto push; case 7: generate_exception_if(1, EXC_UD, -1); default: goto cannot_emulate;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
if ( (modrm_reg & 7) == 3 ) /* call */ { struct segment_register reg; fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &_regs.eip, op_bytes, ctxt)) )
+ show +
2274
2275
2276
2277
2278
2279
goto done; } if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = src.val;
+ show +
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
dst.type = OP_NONE; break; } case 6: /* push */ goto push; case 7: generate_exception_if(1, EXC_UD, -1); default: goto cannot_emulate;
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
if ( (modrm_reg & 7) == 3 ) /* call */ { struct segment_register reg; fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &_regs.eip, op_bytes, ctxt)) )
+ show +
2274
2275
2276
2277
2278
2279
goto done; } if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = src.val;
+ show +
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
dst.type = OP_NONE; break; } case 6: /* push */ goto push; case 7: generate_exception_if(1, EXC_UD, -1); default: goto cannot_emulate;
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
if ( (modrm_reg & 7) == 3 ) /* call */ { struct segment_register reg; fail_if(ops->read_segment == NULL); if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &reg.sel, op_bytes, ctxt)) || (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes), &_regs.eip, op_bytes, ctxt)) )
+ show +
2282
2283
2284
2285
2286
2287
goto done; } if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) goto done; _regs.eip = src.val;
+ show +
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
dst.type = OP_NONE; break; } case 6: /* push */ goto push; case 7: generate_exception_if(1, EXC_UD, -1); default: goto cannot_emulate;

[xen_CVE-2014-8867_1417093300_msixtbl_read.diff] msixtbl_read_OLD.c #1
rcu_read_lock(&msixtbl_rcu_lock); entry = msixtbl_find_entry(v, address); + if ( !entry ) + goto out; offset = address & (PCI_MSIX_ENTRY_SIZE - 1); if ( offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET )
.\cloneFuncs\totalClone\Type-1\CVE-2014-8867_before_1mo_1385561743_msixtbl_read.c
4
5
6
7
8
9
10
11
12
13
{ unsigned long offset; struct msixtbl_entry *entry; void *virt; unsigned int nr_entry, index; int r = X86EMUL_UNHANDLEABLE; if ( len != 4 || (address & 3) ) return r;
+ show +
14
15
16
17
18
19
rcu_read_lock(&msixtbl_rcu_lock); entry = msixtbl_find_entry(v, address); offset = address & (PCI_MSIX_ENTRY_SIZE - 1); if ( offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET )
+ show +
20
21
22
23
24
25
26
27
28
29
{ nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE; if ( nr_entry >= MAX_MSIX_ACC_ENTRIES ) goto out; index = offset / sizeof(uint32_t); *pval = entry->gentries[nr_entry].msi_ad[index]; } else { virt = msixtbl_addr_to_virt(entry, address);

[xen_CVE-2014-8867_1417093300_msixtbl_write.diff] msixtbl_write_OLD.c #1
rcu_read_lock(&msixtbl_rcu_lock); entry = msixtbl_find_entry(v, address); + if ( !entry ) + goto out; nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE; offset = address & (PCI_MSIX_ENTRY_SIZE - 1);
.\cloneFuncs\totalClone\Type-1\CVE-2014-8867_before_1mo_1385561743_msixtbl_write.c
6
7
8
9
10
11
12
13
14
15
const struct msi_desc *msi_desc; void *virt; unsigned int nr_entry, index; int r = X86EMUL_UNHANDLEABLE; unsigned long flags, orig; struct irq_desc *desc; if ( len != 4 || (address & 3) ) return r;
+ show +
16
17
18
19
20
21
rcu_read_lock(&msixtbl_rcu_lock); entry = msixtbl_find_entry(v, address); nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE; offset = address & (PCI_MSIX_ENTRY_SIZE - 1);
+ show +
22
23
24
25
26
27
28
29
30
31
if ( offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET) { if ( nr_entry < MAX_MSIX_ACC_ENTRIES ) { index = offset / sizeof(uint32_t); entry->gentries[nr_entry].msi_ad[index] = val; } set_bit(nr_entry, &entry->table_flags); goto out; }
.\cloneFuncs\totalClone\Type-3\CVE-2014-8867_before_6mo_1378716191_msixtbl_write.c
6
7
8
9
10
11
12
13
14
15
const struct msi_desc *msi_desc; void *virt; unsigned int nr_entry, index; int r = X86EMUL_UNHANDLEABLE; unsigned long flags, orig; struct irq_desc *desc; if ( len != 4 || (address & 3) ) return r;
+ show +
16
17
18
19
20
21
rcu_read_lock(&msixtbl_rcu_lock); entry = msixtbl_find_entry(v, address); nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE; offset = address & (PCI_MSIX_ENTRY_SIZE - 1);
+ show +
22
23
24
25
26
27
28
29
30
31
if ( offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET) { if ( nr_entry < MAX_MSIX_ACC_ENTRIES ) { index = offset / sizeof(uint32_t); entry->gentries[nr_entry].msi_ad[index] = val; } set_bit(nr_entry, &entry->table_flags); goto out; }

[linux_CVE-2014-8989_1417065734_new_idmap_permitted.diff] new_idmap_permitted_OLD.c #1
struct user_namespace *ns, int cap_setid, struct uid_gid_map *new_map) { + const struct cred *cred = file->f_cred; /* Don't allow mappings that would allow anything that wouldn't * be allowed without the establishment of unprivileged mappings. */ - if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) { + if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && + uid_eq(ns->owner, cred->euid)) { u32 id = new_map->extent[0].lower_first; if (cap_setid == CAP_SETUID) { kuid_t uid = make_kuid(ns->parent, id); - if (uid_eq(uid, file->f_cred->euid)) + if (uid_eq(uid, cred->euid)) return true; } }
.\cloneFuncs\totalClone\Type-1\CVE-2014-8989_before_imd_1417825590_new_idmap_permitted.c
1
static bool new_idmap_permitted(const struct file *file,
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
14
15
struct user_namespace *ns, int cap_setid, struct uid_gid_map *new_map) { /* Don't allow mappings that would allow anything that wouldn't * be allowed without the establishment of unprivileged mappings. */ if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) { u32 id = new_map->extent[0].lower_first; if (cap_setid == CAP_SETUID) { kuid_t uid = make_kuid(ns->parent, id); if (uid_eq(uid, file->f_cred->euid)) return true; } }
+ show +
16
17
18
19
20
21
22
23
24
25
/* Allow anyone to set a mapping that doesn't require privilege */ if (!cap_valid(cap_setid)) return true; /* Allow the specified ids if we have the appropriate capability * (CAP_SETUID or CAP_SETGID) over the parent user namespace. * And the opener of the id file also had the approprpiate capability. */ if (ns_capable(ns->parent, cap_setid) &&

[ffmpeg_CVE-2014-9604_1425490574_restore_median.diff] restore_median_OLD.c #1
slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride;
.\cloneFuncs\totalClone\Type-1\CVE-2014-9604_before_1mo_1396376399_restore_median.c
1
2
3
4
5
6
7
8
9
10
static void restore_median(uint8_t *src, int step, int stride, int width, int height, int slices, int rmode) { int i, j, slice; int A, B, C; uint8_t *bsrc; int slice_start, slice_height; const int cmask = ~rmode; for (slice = 0; slice < slices; slice++) {
+ show +
11
12
13
14
15
slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; bsrc = src + slice_start * stride;
+ show +
16
17
18
19
20
21
22
23
24
25
// first line - left neighbour prediction bsrc[0] += 0x80; A = bsrc[0]; for (i = step; i < width * step; i += step) { bsrc[i] += A; A = bsrc[i]; } bsrc += stride; if (slice_height == 1)

[ffmpeg_CVE-2014-9604_1425490574_restore_median_il.diff] restore_median_il_OLD.c #1
slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride;
.\cloneFuncs\totalClone\Type-1\CVE-2014-9604_before_1mo_1396376399_restore_median_il.c
3
4
5
6
7
8
9
10
11
12
{ int i, j, slice; int A, B, C; uint8_t *bsrc; int slice_start, slice_height; const int cmask = ~(rmode ? 3 : 1); const int stride2 = stride << 1; for (slice = 0; slice < slices; slice++) { slice_start = ((slice * height) / slices) & cmask;
+ show +
13
14
15
16
17
slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; bsrc = src + slice_start * stride;
+ show +
18
19
20
21
22
23
24
25
26
27
// first line - left neighbour prediction bsrc[0] += 0x80; A = bsrc[0]; for (i = step; i < width * step; i += step) { bsrc[i] += A; A = bsrc[i]; } for (i = 0; i < width * step; i += step) { bsrc[stride + i] += A;

[openssl_CVE-2015-0205_1414092977_ssl3_get_cert_verify.diff] ssl3_get_cert_verify_OLD.c #1
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; - if ((peer != NULL) && (type & EVP_PKT_SIGN)) + if (peer != NULL) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
.\cloneFuncs\totalClone\Type-1\CVE-2015-0205_before_1mo_1407493465_ssl3_get_cert_verify.c
24
25
26
27
28
29
30
31
32
33
peer=s->session->peer; pkey=X509_get_pubkey(peer); type=X509_certificate_type(peer,pkey); } else { peer=NULL; pkey=NULL; }
+ show +
34
35
36
37
38
39
40
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; if ((peer != NULL) && (type & EVP_PKT_SIGN)) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
+ show +
41
42
43
44
45
46
47
48
49
50
goto f_err; } ret=1; goto end; } if (peer == NULL) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); al=SSL_AD_UNEXPECTED_MESSAGE;
.\cloneFuncs\totalClone\Type-2\CVE-2015-0205_before_6mo_1387114344_ssl3_get_cert_verify.c
24
25
26
27
28
29
30
31
32
33
peer=s->session->peer; pkey=X509_get_pubkey(peer); type=X509_certificate_type(peer,pkey); } else { peer=NULL; pkey=NULL; }
+ show +
34
35
36
37
38
39
40
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; if ((peer != NULL) && (type & EVP_PKT_SIGN)) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
+ show +
41
42
43
44
45
46
47
48
49
50
goto f_err; } ret=1; goto end; } if (peer == NULL) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); al=SSL_AD_UNEXPECTED_MESSAGE;

[openssl_CVE-2015-0206_1420640293_dtls1_buffer_record.diff] dtls1_buffer_record_OLD.c #1
/* Limit the size of the queue to prevent DOS attacks */ if (pqueue_size(queue->q) >= 100) return 0; - + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); item = pitem_new(priority, rdata); if (rdata == NULL || item == NULL)
.\cloneFuncs\totalClone\Type-1\CVE-2015-0206_after_imd_1421400110_dtls1_buffer_record.c
1
2
3
4
5
6
static int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) { DTLS1_RECORD_DATA *rdata; pitem *item;
+ show +
7
8
9
10
11
12
13
/* Limit the size of the queue to prevent DOS attacks */ if (pqueue_size(queue->q) >= 100) return 0; rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); item = pitem_new(priority, rdata); if (rdata == NULL || item == NULL)
+ show +
14
15
16
17
18
19
20
21
22
23
{ if (rdata != NULL) OPENSSL_free(rdata); if (item != NULL) pitem_free(item); SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); return(0); } rdata->packet = s->packet; rdata->packet_length = s->packet_length;
.\cloneFuncs\totalClone\Type-1\CVE-2015-0206_before_1mo_1416315386_dtls1_buffer_record.c
1
2
3
4
5
6
static int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) { DTLS1_RECORD_DATA *rdata; pitem *item;
+ show +
7
8
9
10
11
12
13
/* Limit the size of the queue to prevent DOS attacks */ if (pqueue_size(queue->q) >= 100) return 0; rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); item = pitem_new(priority, rdata); if (rdata == NULL || item == NULL)
+ show +
14
15
16
17
18
19
20
21
22
23
{ if (rdata != NULL) OPENSSL_free(rdata); if (item != NULL) pitem_free(item); SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); return(0); } rdata->packet = s->packet; rdata->packet_length = s->packet_length;

[openssl_CVE-2015-0206_1420640293_dtls1_process_buffered_records.diff] dtls1_process_buffered_records_OLD.c #1
dtls1_get_unprocessed_record(s); if ( ! dtls1_process_record(s)) return(0); - dtls1_buffer_record(s, &(s->d1->processed_rcds), - s->s3->rrec.seq_num); + if(dtls1_buffer_record(s, &(s->d1->processed_rcds), + s->s3->rrec.seq_num)<0) + return -1; } }
.\cloneFuncs\totalClone\Type-1\CVE-2015-0206_before_1mo_1416315386_dtls1_process_buffered_records.c
6
7
8
9
10
11
12
13
14
15
item = pqueue_peek(s->d1->unprocessed_rcds.q); if (item) { /* Check if epoch is current. */ if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) return(1); /* Nothing to do. */ /* Process all the records. */ while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
+ show +
16
17
18
19
20
21
22
dtls1_get_unprocessed_record(s); if ( ! dtls1_process_record(s)) return(0); dtls1_buffer_record(s, &(s->d1->processed_rcds), s->s3->rrec.seq_num); } }
+ show +
23
24
25
26
27
28
29
30
/* sync epoch numbers once all the unprocessed records * have been processed */ s->d1->processed_rcds.epoch = s->d1->r_epoch; s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; return(1); }

[openssl_CVE-2015-0206_1420640293_dtls1_get_record.diff] dtls1_get_record_OLD.c #1
/* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ - dtls1_process_buffered_records(s); + if(dtls1_process_buffered_records(s)<0) + return -1; /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s))
.\cloneFuncs\totalClone\Type-1\CVE-2015-0206_before_imd_1420246475_dtls1_get_record.c
3
4
5
6
7
8
9
10
11
12
int ssl_major,ssl_minor; int i,n; SSL3_RECORD *rr; unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr= &(s->s3->rrec);
+ show +
13
14
15
16
17
18
/* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ dtls1_process_buffered_records(s); /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s))
+ show +
19
20
21
22
23
24
25
26
27
28
return 1; /* get something from the wire */ again: /* check if we have the header */ if ( (s->rstate != SSL_ST_READ_BODY) || (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); /* read timeout is handled by dtls1_read_bytes */
.\cloneFuncs\totalClone\Type-3\CVE-2015-0206_before_1mo_1416315386_dtls1_get_record.c
3
4
5
6
7
8
9
10
11
12
int ssl_major,ssl_minor; int i,n; SSL3_RECORD *rr; unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr= &(s->s3->rrec);
+ show +
13
14
15
16
17
18
/* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ dtls1_process_buffered_records(s); /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s))
+ show +
19
20
21
22
23
24
25
26
27
28
return 1; /* get something from the wire */ again: /* check if we have the header */ if ( (s->rstate != SSL_ST_READ_BODY) || (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); /* read timeout is handled by dtls1_read_bytes */

[openssl_CVE-2015-0206_1420640293_dtls1_get_record.diff] dtls1_get_record_OLD.c #2
{ if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { - dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); + if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0) + return -1; + dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ } rr->length = 0; s->packet_length = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2015-0206_before_imd_1420246475_dtls1_get_record.c
142
143
144
145
146
147
148
149
150
151
/* just read a 0 length packet */ if (rr->length == 0) goto again; /* If this record is from the next epoch (either HM or ALERT), * and a handshake is currently in progress, buffer it since it * cannot be processed at this time. However, do not buffer * anything while listening. */ if (is_next_epoch)
+ show +
152
153
154
155
156
157
158
{ if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); } rr->length = 0; s->packet_length = 0;
+ show +
159
160
161
162
163
164
165
166
167
168
goto again; } if (!dtls1_process_record(s)) { rr->length = 0; s->packet_length = 0; /* dump this record */ goto again; /* get another record */ }
.\cloneFuncs\totalClone\Type-3\CVE-2015-0206_before_1mo_1416315386_dtls1_get_record.c
143
144
145
146
147
148
149
150
151
152
/* just read a 0 length packet */ if (rr->length == 0) goto again; /* If this record is from the next epoch (either HM or ALERT), * and a handshake is currently in progress, buffer it since it * cannot be processed at this time. However, do not buffer * anything while listening. */ if (is_next_epoch)
+ show +
153
154
155
156
157
158
159
{ if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); } rr->length = 0; s->packet_length = 0;
+ show +
160
161
162
163
164
165
166
167
168
169
goto again; } if (!dtls1_process_record(s)) { rr->length = 0; s->packet_length = 0; /* dump this record */ goto again; /* get another record */ }

[openssl_CVE-2015-0207_1425917344_dtls1_listen.diff] dtls1_listen_OLD.c #1
{ int ret; + /* Ensure there is no state left over from a previous invocation */ + SSL_clear(s); + SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); s->d1->listen = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2015-0207_before_1mo_1421924687_dtls1_listen.c
1
int dtls1_listen(SSL *s, struct sockaddr *client)
+ show +
2
3
4
5
6
{ int ret; SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); s->d1->listen = 1;
+ show +
7
8
9
10
11
12
13
14
ret = SSL_accept(s); if (ret <= 0) return ret; (void)BIO_dgram_get_peer(SSL_get_rbio(s), client); return 1; }
.\cloneFuncs\totalClone\Type-4\CVE-2015-0207_before_6mo_1404072323_dtls1_listen.c
1
int dtls1_listen(SSL *s, struct sockaddr *client)
+ show +
2
3
4
5
6
{ int ret; SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); s->d1->listen = 1;
+ show +
7
8
9
10
11
12
13
ret = SSL_accept(s); if (ret <= 0) return ret; (void) BIO_dgram_get_peer(SSL_get_rbio(s), client); return 1; }

[linux_CVE-2015-0239_1420146671_em_sysenter.diff] em_sysenter_OLD.c #1
* Not recognized on AMD in compat mode (but is recognized in legacy * mode). */ - if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) + if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) && !vendor_intel(ctxt)) return emulate_ud(ctxt);
.\cloneFuncs\totalClone\Type-1\CVE-2015-0239_before_1mo_1416401298_em_sysenter.c
5
6
7
8
9
10
11
12
13
14
u64 msr_data; u16 cs_sel, ss_sel; u64 efer = 0; ops->get_msr(ctxt, MSR_EFER, &efer); /* inject #GP if in real mode */ if (ctxt->mode == X86EMUL_MODE_REAL) return emulate_gp(ctxt, 0); /*
+ show +
15
16
17
18
19
20
* Not recognized on AMD in compat mode (but is recognized in legacy * mode). */ if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) && !vendor_intel(ctxt)) return emulate_ud(ctxt);
+ show +
21
22
23
24
25
26
27
28
29
30
/* sysenter/sysexit have not been tested in 64bit mode. */ if (ctxt->mode == X86EMUL_MODE_PROT64) return X86EMUL_UNHANDLEABLE; setup_syscalls_segments(ctxt, &cs, &ss); ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); switch (ctxt->mode) { case X86EMUL_MODE_PROT32:
.\cloneFuncs\totalClone\Type-3\CVE-2015-0239_before_6mo_1402837981_em_sysenter.c
5
6
7
8
9
10
11
12
13
14
u64 msr_data; u16 cs_sel, ss_sel; u64 efer = 0; ops->get_msr(ctxt, MSR_EFER, &efer); /* inject #GP if in real mode */ if (ctxt->mode == X86EMUL_MODE_REAL) return emulate_gp(ctxt, 0); /*
+ show +
15
16
17
18
19
20
* Not recognized on AMD in compat mode (but is recognized in legacy * mode). */ if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) && !vendor_intel(ctxt)) return emulate_ud(ctxt);
+ show +
21
22
23
24
25
26
27
28
29
30
/* XXX sysenter/sysexit have not been tested in 64bit mode. * Therefore, we inject an #UD. */ if (ctxt->mode == X86EMUL_MODE_PROT64) return emulate_ud(ctxt); setup_syscalls_segments(ctxt, &cs, &ss); ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);

[openssl_CVE-2015-0285_1424951760_ssl3_client_hello.diff] ssl3_client_hello_OLD.c #1
} else i = 1; - if (i) - ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)); + if (i && ssl_fill_hello_random(s, 0, p, + sizeof(s->s3->client_random)) <= 0) + goto err; /* Do the message type and length last */ d = p = ssl_handshake_start(s);
.\cloneFuncs\totalClone\Type-1\CVE-2015-0285_before_imd_1423237932_ssl3_client_hello.c
61
62
63
64
65
66
67
68
69
70
*/ if (SSL_IS_DTLS(s)) { size_t idx; i = 1; for (idx = 0; idx < sizeof(s->s3->client_random); idx++) { if (p[idx]) { i = 0; break; } }
+ show +
71
72
73
74
75
76
77
78
} else i = 1; if (i) ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)); /* Do the message type and length last */ d = p = ssl_handshake_start(s);
+ show +
79
80
81
82
83
84
85
86
87
88
/*- * version indicates the negotiated version: for example from * an SSLv2/v3 compatible client hello). The client_version * field is the maximum version we permit and it is also * used in RSA encrypted premaster secrets. Some servers can * choke if we initially report a higher version then * renegotiate to a lower one in the premaster secret. This * didn't happen with TLS 1.0 as most servers supported it * but it can with TLS 1.1 or later if the server only supports
.\cloneFuncs\totalClone\Type-3\CVE-2015-0285_before_1mo_1421453214_ssl3_client_hello.c
61
62
63
64
65
66
67
68
69
70
*/ if (SSL_IS_DTLS(s)) { size_t idx; i = 1; for (idx = 0; idx < sizeof(s->s3->client_random); idx++) { if (p[idx]) { i = 0; break; } }
+ show +
71
72
73
74
75
76
77
78
} else i = 1; if (i) ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)); /* Do the message type and length last */ d = p = ssl_handshake_start(s);
+ show +
79
80
81
82
83
84
85
86
87
88
/*- * version indicates the negotiated version: for example from * an SSLv2/v3 compatible client hello). The client_version * field is the maximum version we permit and it is also * used in RSA encrypted premaster secrets. Some servers can * choke if we initially report a higher version then * renegotiate to a lower one in the premaster secret. This * didn't happen with TLS 1.0 as most servers supported it * but it can with TLS 1.1 or later if the server only supports

[openssl_CVE-2015-0286_1425942705_ASN1_TYPE_cmp.diff] ASN1_TYPE_cmp_OLD.c #1
case V_ASN1_OBJECT: result = OBJ_cmp(a->value.object, b->value.object); break; + case V_ASN1_BOOLEAN: + result = a->value.boolean - b->value.boolean; + break; case V_ASN1_NULL: result = 0; /* They do not have content. */ break;
.\cloneFuncs\totalClone\Type-1\CVE-2015-0286_before_1mo_1423237673_ASN1_TYPE_cmp.c
1
2
3
4
5
6
7
8
int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) { int result = -1; if (!a || !b || a->type != b->type) return -1; switch (a->type) {
+ show +
9
10
11
12
13
14
case V_ASN1_OBJECT: result = OBJ_cmp(a->value.object, b->value.object); break; case V_ASN1_NULL: result = 0; /* They do not have content. */ break;
+ show +
15
16
17
18
19
20
21
22
23
24
case V_ASN1_INTEGER: case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: case V_ASN1_SET: case V_ASN1_NUMERICSTRING: case V_ASN1_PRINTABLESTRING:
.\cloneFuncs\totalClone\Type-2\CVE-2015-0286_before_6mo_1205701150_ASN1_TYPE_cmp.c
1
2
3
4
5
6
7
8
int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) { int result = -1; if (!a || !b || a->type != b->type) return -1; switch (a->type) {
+ show +
9
10
11
12
13
14
case V_ASN1_OBJECT: result = OBJ_cmp(a->value.object, b->value.object); break; case V_ASN1_NULL: result = 0; /* They do not have content. */ break;
+ show +
15
16
17
18
19
20
21
22
23
24
case V_ASN1_INTEGER: case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: case V_ASN1_SET: case V_ASN1_NUMERICSTRING: case V_ASN1_PRINTABLESTRING:

[openssl_CVE-2015-0287_1424658764_ASN1_item_ex_d2i.diff] ASN1_item_ex_d2i_OLD.c #1
case ASN1_ITYPE_CHOICE: if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; - - /* Allocate structure */ - if (!*pval && !ASN1_item_ex_new(pval, it)) { + if (*pval) { + /* Free up and zero CHOICE value if initialised */ + i = asn1_get_choice_selector(pval, it); + if ((i >= 0) && (i < it->tcount)) { + tt = it->templates + i; + pchptr = asn1_get_field_ptr(pval, tt); + ASN1_template_free(pchptr, tt); + asn1_set_choice_selector(pval, -1, it); + } + } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
.\cloneFuncs\totalClone\Type-1\CVE-2015-0287_before_imd_1422492849_ASN1_item_ex_d2i.c
129
130
131
132
133
134
135
136
137
138
if (tag != -1) *wp = imphack; if (ptmpval) return 1; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
+ show +
139
140
141
142
143
144
145
146
147
case ASN1_ITYPE_CHOICE: if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; /* Allocate structure */ if (!*pval && !ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
+ show +
148
149
150
151
152
153
154
155
156
157
/* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt); /* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1)
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_before_1mo_1421898055_ASN1_item_ex_d2i.c
130
131
132
133
134
135
136
137
138
139
if (tag != -1) *wp = imphack; if (ptmpval) return 1; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
+ show +
140
141
142
143
144
145
146
147
148
case ASN1_ITYPE_CHOICE: if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; /* Allocate structure */ if (!*pval && !ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
+ show +
149
150
151
152
153
154
155
156
157
158
/* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt); /* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1)

[openssl_CVE-2015-0287_1424658764_ASN1_item_ex_d2i.diff] ASN1_item_ex_d2i_OLD.c #2
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; + /* Free up and zero any ADB found */ + for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { + if (tt->flags & ASN1_TFLG_ADB_MASK) { + const ASN1_TEMPLATE *seqtt; + ASN1_VALUE **pseqval; + seqtt = asn1_do_adb(pval, tt, 1); + pseqval = asn1_get_field_ptr(pval, seqtt); + ASN1_template_free(pseqval, seqtt); + } + } + /* Get each field entry */ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt;
.\cloneFuncs\totalClone\Type-1\CVE-2015-0287_before_imd_1422492849_ASN1_item_ex_d2i.c
211
212
213
214
215
216
217
218
219
220
if (!cst) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED); goto err; } if (!*pval && !ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
+ show +
221
222
223
224
225
226
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; /* Get each field entry */ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt;
+ show +
227
228
229
230
231
232
233
234
235
236
ASN1_VALUE **pseqval; seqtt = asn1_do_adb(pval, tt, 1); if (!seqtt) goto err; pseqval = asn1_get_field_ptr(pval, seqtt); /* Have we ran out of data? */ if (!len) break; q = p; if (asn1_check_eoc(&p, len)) {
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_before_1mo_1421898055_ASN1_item_ex_d2i.c
212
213
214
215
216
217
218
219
220
221
if (!cst) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED); goto err; } if (!*pval && !ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
+ show +
222
223
224
225
226
227
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; /* Get each field entry */ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt;
+ show +
228
229
230
231
232
233
234
235
236
237
ASN1_VALUE **pseqval; seqtt = asn1_do_adb(pval, tt, 1); if (!seqtt) goto err; pseqval = asn1_get_field_ptr(pval, seqtt); /* Have we ran out of data? */ if (!len) break; q = p; if (asn1_check_eoc(&p, len)) {

[openssl_CVE-2018-0739_1521711593_asn1_item_embed_d2i.diff] asn1_item_embed_d2i_OLD.c #2
else asn1_cb = 0; + if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { + ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_NESTED_TOO_DEEP); + goto err; + } + switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-0287_before_imd_1422492849_ASN1_item_ex_d2i.c
13
14
15
16
17
18
19
20
21
22
char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; if (!pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+ show +
23
24
25
26
27
28
else asn1_cb = 0; switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) {
+ show +
29
30
31
32
33
34
35
36
37
38
/* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_after_imd_1506564784_asn1_item_embed_d2i.c
11
12
13
14
15
16
17
18
19
20
char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr; if (!pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+ show +
21
22
23
24
25
26
else asn1_cb = 0; switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) {
+ show +
27
28
29
30
31
32
33
34
35
36
/* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_before_1mo_1467757466_asn1_item_embed_d2i.c
11
12
13
14
15
16
17
18
19
20
char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr; if (!pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+ show +
21
22
23
24
25
26
else asn1_cb = 0; switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) {
+ show +
27
28
29
30
31
32
33
34
35
36
/* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_1mo_1427298176_ASN1_item_ex_d2i.c
11
12
13
14
15
16
17
18
19
20
char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr; if (!pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+ show +
21
22
23
24
25
26
else asn1_cb = 0; switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) {
+ show +
27
28
29
30
31
32
33
34
35
36
/* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_6mo_1439820138_ASN1_item_ex_d2i.c
11
12
13
14
15
16
17
18
19
20
char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr; if (!pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+ show +
21
22
23
24
25
26
else asn1_cb = 0; switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) {
+ show +
27
28
29
30
31
32
33
34
35
36
/* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_before_1mo_1421898055_ASN1_item_ex_d2i.c
13
14
15
16
17
18
19
20
21
22
char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; if (!pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+ show +
23
24
25
26
27
28
else asn1_cb = 0; switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) {
+ show +
29
30
31
32
33
34
35
36
37
38
/* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2016-7053_before_6mo_1459370225_asn1_item_embed_d2i.c
11
12
13
14
15
16
17
18
19
20
char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr; if (!pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+ show +
21
22
23
24
25
26
else asn1_cb = 0; switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) {
+ show +
27
28
29
30
31
32
33
34
35
36
/* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); goto err;

[openssl_CVE-2018-0739_1521711593_asn1_item_embed_d2i.diff] asn1_item_embed_d2i_OLD.c #3
goto err; } return asn1_template_ex_d2i(pval, in, len, - it->templates, opt, ctx); + it->templates, opt, ctx, depth); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
.\cloneFuncs\totalClone\Type-1\CVE-2015-0287_before_imd_1422492849_ASN1_item_ex_d2i.c
28
29
30
31
32
33
34
35
36
37
if (it->templates) { /* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
38
39
40
41
42
43
44
goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+ show +
45
46
47
48
49
50
51
52
53
54
case ASN1_ITYPE_MSTRING: p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_after_imd_1506564784_asn1_item_embed_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) { /* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING: p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_before_1mo_1467757466_asn1_item_embed_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) { /* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING: p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_1mo_1427298176_ASN1_item_ex_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) { /* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING: p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_6mo_1439820138_ASN1_item_ex_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) { /* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING: p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_before_1mo_1421898055_ASN1_item_ex_d2i.c
28
29
30
31
32
33
34
35
36
37
if (it->templates) { /* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
38
39
40
41
42
43
44
goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+ show +
45
46
47
48
49
50
51
52
53
54
break; case ASN1_ITYPE_MSTRING: p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2016-7053_before_6mo_1459370225_asn1_item_embed_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) { /* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING: p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; }
.\cloneFuncs\totalClone\Type-4\CVE-2015-0287_before_6mo_1276352003_ASN1_item_ex_d2i.c
30
31
32
33
34
35
36
37
38
39
/* tagging or OPTIONAL is currently illegal on an item * template because the flags can't get passed down. * In practice this isn't a problem: we include the * relevant flags from the item template in the * template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
40
41
42
43
44
45
46
goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+ show +
47
48
49
50
51
52
53
54
55
56
break; case ASN1_ITYPE_MSTRING: p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,

[openssl_CVE-2018-0739_1521711593_asn1_item_embed_d2i.diff] asn1_item_embed_d2i_OLD.c #4
/* * We mark field as OPTIONAL so its absence can be recognised. */ - ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); + ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); /* If field not present, try the next one */ if (ret == -1) continue;
.\cloneFuncs\totalClone\Type-1\CVE-2015-0287_before_imd_1422492849_ASN1_item_ex_d2i.c
142
143
144
145
146
147
148
149
150
151
/* Allocate structure */ if (!*pval && !ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt);
+ show +
152
153
154
155
156
157
158
/* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1) continue;
+ show +
159
160
161
162
163
164
165
166
167
168
/* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */ errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* Did we fall off the end without reading anything? */
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_after_imd_1506564784_asn1_item_embed_d2i.c
87
88
89
90
91
92
93
94
95
96
asn1_set_choice_selector(pval, -1, it); } } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt);
+ show +
97
98
99
100
101
102
103
/* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1) continue;
+ show +
104
105
106
107
108
109
110
111
112
113
/* If positive return, read OK, break loop */ if (ret > 0) break; /* * Must be an ASN1 parsing error. * Free up any partial choice value */ asn1_template_free(pchptr, tt); errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_before_1mo_1467757466_asn1_item_embed_d2i.c
87
88
89
90
91
92
93
94
95
96
asn1_set_choice_selector(pval, -1, it); } } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt);
+ show +
97
98
99
100
101
102
103
/* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1) continue;
+ show +
104
105
106
107
108
109
110
111
112
113
/* * Set the choice selector here to ensure that the value is * correctly freed upon error. It may be partially initialized * even if parsing failed. */ asn1_set_choice_selector(pval, i, it); /* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_1mo_1427298176_ASN1_item_ex_d2i.c
87
88
89
90
91
92
93
94
95
96
asn1_set_choice_selector(pval, -1, it); } } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt);
+ show +
97
98
99
100
101
102
103
/* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1) continue;
+ show +
104
105
106
107
108
109
110
111
112
113
/* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */ errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* Did we fall off the end without reading anything? */
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_6mo_1439820138_ASN1_item_ex_d2i.c
87
88
89
90
91
92
93
94
95
96
asn1_set_choice_selector(pval, -1, it); } } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt);
+ show +
97
98
99
100
101
102
103
/* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1) continue;
+ show +
104
105
106
107
108
109
110
111
112
113
/* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */ errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* Did we fall off the end without reading anything? */
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_before_1mo_1421898055_ASN1_item_ex_d2i.c
143
144
145
146
147
148
149
150
151
152
/* Allocate structure */ if (!*pval && !ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt);
+ show +
153
154
155
156
157
158
159
/* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1) continue;
+ show +
160
161
162
163
164
165
166
167
168
169
/* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */ errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* Did we fall off the end without reading anything? */
.\cloneFuncs\totalClone\Type-3\CVE-2016-7053_before_6mo_1459370225_asn1_item_embed_d2i.c
87
88
89
90
91
92
93
94
95
96
asn1_set_choice_selector(pval, -1, it); } } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt);
+ show +
97
98
99
100
101
102
103
/* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); /* If field not present, try the next one */ if (ret == -1) continue;
+ show +
104
105
106
107
108
109
110
111
112
113
/* * Set the choice selector here to ensure that the value is * correctly freed upon error. It may be partially initialized * even if parsing failed. */ asn1_set_choice_selector(pval, i, it); /* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */

[openssl_CVE-2018-0739_1521711593_asn1_item_embed_d2i.diff] asn1_item_embed_d2i_OLD.c #5
* attempt to read in field, allowing each to be OPTIONAL */ - ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); + ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, + depth); if (!ret) { errtt = seqtt; goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2015-0287_before_imd_1422492849_ASN1_item_ex_d2i.c
247
248
249
250
251
252
253
254
255
256
* This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still * data to be read. This isn't strictly necessary but it * increases efficiency in some cases. */ if (i == (it->tcount - 1)) isopt = 0; else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); /*
+ show +
257
258
259
260
261
262
263
* attempt to read in field, allowing each to be OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); if (!ret) { errtt = seqtt; goto err;
+ show +
264
265
266
267
268
269
270
271
272
273
} else if (ret == -1) { /* * OPTIONAL component absent. Free and zero the field. */ ASN1_template_free(pseqval, seqtt); continue; } /* Update length */ len -= p - q; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_after_imd_1506564784_asn1_item_embed_d2i.c
210
211
212
213
214
215
216
217
218
219
* This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still * data to be read. This isn't strictly necessary but it * increases efficiency in some cases. */ if (i == (it->tcount - 1)) isopt = 0; else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); /*
+ show +
220
221
222
223
224
225
226
* attempt to read in field, allowing each to be OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); if (!ret) { errtt = seqtt; goto err;
+ show +
227
228
229
230
231
232
233
234
235
236
} else if (ret == -1) { /* * OPTIONAL component absent. Free and zero the field. */ asn1_template_free(pseqval, seqtt); continue; } /* Update length */ len -= p - q; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_before_1mo_1467757466_asn1_item_embed_d2i.c
210
211
212
213
214
215
216
217
218
219
* This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still * data to be read. This isn't strictly necessary but it * increases efficiency in some cases. */ if (i == (it->tcount - 1)) isopt = 0; else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); /*
+ show +
220
221
222
223
224
225
226
* attempt to read in field, allowing each to be OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); if (!ret) { errtt = seqtt; goto err;
+ show +
227
228
229
230
231
232
233
234
235
236
} else if (ret == -1) { /* * OPTIONAL component absent. Free and zero the field. */ asn1_template_free(pseqval, seqtt); continue; } /* Update length */ len -= p - q; }
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_1mo_1427298176_ASN1_item_ex_d2i.c
203
204
205
206
207
208
209
210
211
212
* This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still * data to be read. This isn't strictly necessary but it * increases efficiency in some cases. */ if (i == (it->tcount - 1)) isopt = 0; else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); /*
+ show +
213
214
215
216
217
218
219
* attempt to read in field, allowing each to be OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); if (!ret) { errtt = seqtt; goto err;
+ show +
220
221
222
223
224
225
226
227
228
229
} else if (ret == -1) { /* * OPTIONAL component absent. Free and zero the field. */ ASN1_template_free(pseqval, seqtt); continue; } /* Update length */ len -= p - q; }
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_6mo_1439820138_ASN1_item_ex_d2i.c
203
204
205
206
207
208
209
210
211
212
* This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still * data to be read. This isn't strictly necessary but it * increases efficiency in some cases. */ if (i == (it->tcount - 1)) isopt = 0; else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); /*
+ show +
213
214
215
216
217
218
219
* attempt to read in field, allowing each to be OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); if (!ret) { errtt = seqtt; goto err;
+ show +
220
221
222
223
224
225
226
227
228
229
} else if (ret == -1) { /* * OPTIONAL component absent. Free and zero the field. */ asn1_template_free(pseqval, seqtt); continue; } /* Update length */ len -= p - q; }
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_before_1mo_1421898055_ASN1_item_ex_d2i.c
248
249
250
251
252
253
254
255
256
257
* This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still * data to be read. This isn't strictly necessary but it * increases efficiency in some cases. */ if (i == (it->tcount - 1)) isopt = 0; else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); /*
+ show +
258
259
260
261
262
263
264
* attempt to read in field, allowing each to be OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); if (!ret) { errtt = seqtt; goto err;
+ show +
265
266
267
268
269
270
271
272
273
274
} else if (ret == -1) { /* * OPTIONAL component absent. Free and zero the field. */ ASN1_template_free(pseqval, seqtt); continue; } /* Update length */ len -= p - q; }
.\cloneFuncs\totalClone\Type-3\CVE-2016-7053_before_6mo_1459370225_asn1_item_embed_d2i.c
208
209
210
211
212
213
214
215
216
217
* This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still * data to be read. This isn't strictly necessary but it * increases efficiency in some cases. */ if (i == (it->tcount - 1)) isopt = 0; else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); /*
+ show +
218
219
220
221
222
223
224
* attempt to read in field, allowing each to be OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); if (!ret) { errtt = seqtt; goto err;
+ show +
225
226
227
228
229
230
231
232
233
234
} else if (ret == -1) { /* * OPTIONAL component absent. Free and zero the field. */ asn1_template_free(pseqval, seqtt); continue; } /* Update length */ len -= p - q; }

[openssl_CVE-2015-0288_1424219699_X509_to_X509_REQ.diff] X509_to_X509_REQ_OLD.c #1
goto err; pktmp = X509_get_pubkey(x); + if (pktmp == NULL) + goto err; i = X509_REQ_set_pubkey(ret, pktmp); EVP_PKEY_free(pktmp); if (!i)
.\cloneFuncs\totalClone\Type-1\CVE-2015-0288_before_imd_1421898055_X509_to_X509_REQ.c
13
14
15
16
17
18
19
20
21
22
ri = ret->req_info; ri->version->length = 1; ri->version->data = (unsigned char *)OPENSSL_malloc(1); if (ri->version->data == NULL) goto err; ri->version->data[0] = 0; /* version == 0 */ if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
+ show +
23
24
25
26
27
28
goto err; pktmp = X509_get_pubkey(x); i = X509_REQ_set_pubkey(ret, pktmp); EVP_PKEY_free(pktmp); if (!i)
+ show +
29
30
31
32
33
34
35
36
37
38
goto err; if (pkey != NULL) { if (!X509_REQ_sign(ret, pkey, md)) goto err; } return (ret); err: X509_REQ_free(ret); return (NULL);

[openssl_CVE-2015-0290_1425288430_ssl3_write_bytes.diff] ssl3_write_bytes_OLD.c #1
i = ssl3_write_pending(s, type, &buf[tot], nw); if (i <= 0) { - if (i < 0) { + if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) { OPENSSL_free(wb->buf); wb->buf = NULL; }
.\cloneFuncs\totalClone\Type-1\CVE-2015-0290_before_imd_1425466665_ssl3_write_bytes.c
159
160
161
162
163
164
165
166
167
168
} wb->offset = 0; wb->left = packlen; s->s3->wpend_tot = nw; s->s3->wpend_buf = &buf[tot]; s->s3->wpend_type = type; s->s3->wpend_ret = nw;
+ show +
169
170
171
172
173
174
i = ssl3_write_pending(s, type, &buf[tot], nw); if (i <= 0) { if (i < 0) { OPENSSL_free(wb->buf); wb->buf = NULL; }
+ show +
175
176
177
178
179
180
181
182
183
184
s->s3->wnum = tot; return i; } if (i == (int)n) { OPENSSL_free(wb->buf); /* free jumbo buffer */ wb->buf = NULL; return tot + i; } n -= i; tot += i;
.\cloneFuncs\totalClone\Type-3\CVE-2015-0290_before_1mo_1422389652_ssl3_write_bytes.c
155
156
157
158
159
160
161
162
163
164
} wb->offset = 0; wb->left = packlen; s->s3->wpend_tot = nw; s->s3->wpend_buf = &buf[tot]; s->s3->wpend_type = type; s->s3->wpend_ret = nw;
+ show +
165
166
167
168
169
170
i = ssl3_write_pending(s, type, &buf[tot], nw); if (i <= 0) { if (i < 0) { OPENSSL_free(wb->buf); wb->buf = NULL; }
+ show +
171
172
173
174
175
176
177
178
179
180
s->s3->wnum = tot; return i; } if (i == (int)n) { OPENSSL_free(wb->buf); /* free jumbo buffer */ wb->buf = NULL; return tot + i; } n -= i; tot += i;

[openssl_CVE-2015-0291_1425388857_tls1_set_server_sigalgs.diff] tls1_set_server_sigalgs_OLD.c #1
if (s->cert->shared_sigalgs) { OPENSSL_free(s->cert->shared_sigalgs); s->cert->shared_sigalgs = NULL; + s->cert->shared_sigalgslen = 0; } /* Clear certificate digests and validity flags */ for (i = 0; i < SSL_PKEY_NUM; i++) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-0291_before_1mo_1422474784_tls1_set_server_sigalgs.c
1
2
3
4
5
int tls1_set_server_sigalgs(SSL *s) { int al; size_t i; /* Clear any shared sigtnature algorithms */
+ show +
6
7
8
9
10
11
if (s->cert->shared_sigalgs) { OPENSSL_free(s->cert->shared_sigalgs); s->cert->shared_sigalgs = NULL; } /* Clear certificate digests and validity flags */ for (i = 0; i < SSL_PKEY_NUM; i++) {
+ show +
12
13
14
15
16
17
18
19
20
21
s->cert->pkeys[i].digest = NULL; s->cert->pkeys[i].valid_flags = 0; } /* If sigalgs received process it. */ if (s->cert->peer_sigalgs) { if (!tls1_process_sigalgs(s)) { SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE); al = SSL_AD_INTERNAL_ERROR; goto err;

[openssl_CVE-2015-0291_1425388857_tls1_set_shared_sigalgs.diff] tls1_set_shared_sigalgs_OLD.c #1
if (c->shared_sigalgs) { OPENSSL_free(c->shared_sigalgs); c->shared_sigalgs = NULL; + c->shared_sigalgslen = 0; } /* If client use client signature algorithms if not NULL */ if (!s->server && c->client_sigalgs && !is_suiteb) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-0291_before_1mo_1422474784_tls1_set_shared_sigalgs.c
1
2
3
4
5
6
7
8
static int tls1_set_shared_sigalgs(SSL *s) { const unsigned char *pref, *allow, *conf; size_t preflen, allowlen, conflen; size_t nmatch; TLS_SIGALGS *salgs = NULL; CERT *c = s->cert; unsigned int is_suiteb = tls1_suiteb(s);
+ show +
9
10
11
12
13
14
if (c->shared_sigalgs) { OPENSSL_free(c->shared_sigalgs); c->shared_sigalgs = NULL; } /* If client use client signature algorithms if not NULL */ if (!s->server && c->client_sigalgs && !is_suiteb) {
+ show +
15
16
17
18
19
20
21
22
23
24
conf = c->client_sigalgs; conflen = c->client_sigalgslen; } else if (c->conf_sigalgs && !is_suiteb) { conf = c->conf_sigalgs; conflen = c->conf_sigalgslen; } else conflen = tls12_get_psigalgs(s, &conf); if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { pref = conf; preflen = conflen;

[linux_CVE-2015-1350_1464276092_notify_change.diff] notify_change_OLD.c #1
if (!(ia_valid & ATTR_MTIME_SET)) attr->ia_mtime = now; if (ia_valid & ATTR_KILL_PRIV) { - attr->ia_valid &= ~ATTR_KILL_PRIV; - ia_valid &= ~ATTR_KILL_PRIV; error = security_inode_need_killpriv(dentry); - if (error > 0) - error = security_inode_killpriv(dentry); - if (error) + if (error < 0) return error; + if (error == 0) + ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV; } /*
.\cloneFuncs\totalClone\Type-1\CVE-2015-1350_before_imd_1464274518_notify_change.c
18
19
20
21
22
23
24
25
26
27
/* Flag setting protected by i_mutex */ if (is_sxid(amode)) inode->i_flags &= ~S_NOSEC; } now = current_fs_time(inode->i_sb); attr->ia_ctime = now; if (!(ia_valid & ATTR_ATIME_SET)) attr->ia_atime = now;
+ show +
28
29
30
31
32
33
34
35
36
37
38
39
40
if (!(ia_valid & ATTR_MTIME_SET)) attr->ia_mtime = now; if (ia_valid & ATTR_KILL_PRIV) { attr->ia_valid &= ~ATTR_KILL_PRIV; ia_valid &= ~ATTR_KILL_PRIV; error = security_inode_need_killpriv(dentry); if (error > 0) error = security_inode_killpriv(dentry); if (error) return error; } /*
+ show +
41
42
43
44
45
46
47
48
49
50
* We now pass ATTR_KILL_S*ID to the lower level setattr function so * that the function has the ability to reinterpret a mode change * that's due to these bits. This adds an implicit restriction that * no function will ever call notify_change with both ATTR_MODE and * ATTR_KILL_S*ID set. */ if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) && (ia_valid & ATTR_MODE)) BUG();
.\cloneFuncs\totalClone\Type-3\CVE-2015-1350_before_1mo_1453495257_notify_change.c
18
19
20
21
22
23
24
25
26
27
/* Flag setting protected by i_mutex */ if (is_sxid(amode)) inode->i_flags &= ~S_NOSEC; } now = current_fs_time(inode->i_sb); attr->ia_ctime = now; if (!(ia_valid & ATTR_ATIME_SET)) attr->ia_atime = now;
+ show +
28
29
30
31
32
33
34
35
36
37
38
39
40
if (!(ia_valid & ATTR_MTIME_SET)) attr->ia_mtime = now; if (ia_valid & ATTR_KILL_PRIV) { attr->ia_valid &= ~ATTR_KILL_PRIV; ia_valid &= ~ATTR_KILL_PRIV; error = security_inode_need_killpriv(dentry); if (error > 0) error = security_inode_killpriv(dentry); if (error) return error; } /*
+ show +
41
42
43
44
45
46
47
48
49
50
* We now pass ATTR_KILL_S*ID to the lower level setattr function so * that the function has the ability to reinterpret a mode change * that's due to these bits. This adds an implicit restriction that * no function will ever call notify_change with both ATTR_MODE and * ATTR_KILL_S*ID set. */ if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) && (ia_valid & ATTR_MODE)) BUG();
.\cloneFuncs\totalClone\Type-3\CVE-2015-1350_before_6mo_1402429542_notify_change.c
18
19
20
21
22
23
24
25
26
27
/* Flag setting protected by i_mutex */ if (is_sxid(amode)) inode->i_flags &= ~S_NOSEC; } now = current_fs_time(inode->i_sb); attr->ia_ctime = now; if (!(ia_valid & ATTR_ATIME_SET)) attr->ia_atime = now;
+ show +
28
29
30
31
32
33
34
35
36
37
38
39
40
if (!(ia_valid & ATTR_MTIME_SET)) attr->ia_mtime = now; if (ia_valid & ATTR_KILL_PRIV) { attr->ia_valid &= ~ATTR_KILL_PRIV; ia_valid &= ~ATTR_KILL_PRIV; error = security_inode_need_killpriv(dentry); if (error > 0) error = security_inode_killpriv(dentry); if (error) return error; } /*
+ show +
41
42
43
44
45
46
47
48
49
50
* We now pass ATTR_KILL_S*ID to the lower level setattr function so * that the function has the ability to reinterpret a mode change * that's due to these bits. This adds an implicit restriction that * no function will ever call notify_change with both ATTR_MODE and * ATTR_KILL_S*ID set. */ if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) && (ia_valid & ATTR_MODE)) BUG();

[linux_CVE-2015-1350_1464276092_setattr_prepare.diff] setattr_prepare_OLD.c #1
/* If force is set do it anyway. */ if (ia_valid & ATTR_FORCE) - return 0; + goto kill_priv; /* Make sure a caller can chown. */ if ((ia_valid & ATTR_UID) &&
.\cloneFuncs\totalClone\Type-1\CVE-2015-1350_before_imd_1464274518_setattr_prepare.c
6
7
8
9
10
11
12
13
14
15
/* * First check size constraints. These can't be overriden using * ATTR_FORCE. */ if (ia_valid & ATTR_SIZE) { int error = inode_newsize_ok(inode, attr->ia_size); if (error) return error; }
+ show +
16
17
18
19
20
21
/* If force is set do it anyway. */ if (ia_valid & ATTR_FORCE) return 0; /* Make sure a caller can chown. */ if ((ia_valid & ATTR_UID) &&
+ show +
22
23
24
25
26
27
28
29
30
31
(!uid_eq(current_fsuid(), inode->i_uid) || !uid_eq(attr->ia_uid, inode->i_uid)) && !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) return -EPERM; /* Make sure caller can chgrp. */ if ((ia_valid & ATTR_GID) && (!uid_eq(current_fsuid(), inode->i_uid) || (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) && !capable_wrt_inode_uidgid(inode, CAP_CHOWN))

[qemu_CVE-2015-1779_1427151502_vncws_handshake_read.diff] vncws_handshake_read_OLD.c #1
VncState *vs = opaque; uint8_t *handshake_end; long ret; - buffer_reserve(&vs->ws_input, 4096); - ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); + /* Typical HTTP headers from novnc are 512 bytes, so limiting + * total header size to 4096 is easily enough. */ + size_t want = 4096 - vs->ws_input.offset; + buffer_reserve(&vs->ws_input, want); + ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want); if (!ret) { if (vs->csock == -1) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-1779_before_1mo_1377097367_vncws_handshake_read.c
1
2
void vncws_handshake_read(void *opaque) {
+ show +
3
4
5
6
7
8
9
10
VncState *vs = opaque; uint8_t *handshake_end; long ret; buffer_reserve(&vs->ws_input, 4096); ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); if (!ret) { if (vs->csock == -1) {
+ show +
11
12
13
14
15
16
17
18
19
20
vnc_disconnect_finish(vs); } return; } vs->ws_input.offset += ret; handshake_end = (uint8_t *)g_strstr_len((char *)vs->ws_input.buffer, vs->ws_input.offset, WS_HANDSHAKE_END); if (handshake_end) { qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);

[openssl_CVE-2015-1787_1426005512_ssl3_get_client_key_exchange.diff] ssl3_get_client_key_exchange_OLD.c #1
if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) { int idx = -1; EVP_PKEY *skey = NULL; - if (n) + if (n > 1) { n2s(p, i); - else + } else { + if (alg_k & SSL_kDHE) { + al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); + goto f_err; + } i = 0; + } if (n && n != i + 2) { if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
.\cloneFuncs\totalClone\Type-1\CVE-2015-1787_before_imd_1426445355_ssl3_get_client_key_exchange.c
173
174
175
176
177
178
179
180
181
182
s->method->ssl3_enc->generate_master_secret(s, s-> session->master_key, p, sizeof (rand_premaster_secret)); OPENSSL_cleanse(p, sizeof(rand_premaster_secret)); } else #endif #ifndef OPENSSL_NO_DH
+ show +
183
184
185
186
187
188
189
190
191
192
if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) { int idx = -1; EVP_PKEY *skey = NULL; if (n) n2s(p, i); else i = 0; if (n && n != i + 2) { if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ show +
193
194
195
196
197
198
199
200
201
202
SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); goto err; } else { p -= 2; i = (int)n; } } if (alg_k & SSL_kDHr) idx = SSL_PKEY_DH_RSA; else if (alg_k & SSL_kDHd)
.\cloneFuncs\totalClone\Type-2\CVE-2015-1787_before_1mo_1423151874_ssl3_get_client_key_exchange.c
173
174
175
176
177
178
179
180
181
182
s->method->ssl3_enc->generate_master_secret(s, s-> session->master_key, p, sizeof (rand_premaster_secret)); OPENSSL_cleanse(p, sizeof(rand_premaster_secret)); } else #endif #ifndef OPENSSL_NO_DH
+ show +
183
184
185
186
187
188
189
190
191
192
if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) { int idx = -1; EVP_PKEY *skey = NULL; if (n) n2s(p, i); else i = 0; if (n && n != i + 2) { if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ show +
193
194
195
196
197
198
199
200
201
202
SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); goto err; } else { p -= 2; i = (int)n; } } if (alg_k & SSL_kDHr) idx = SSL_PKEY_DH_RSA; else if (alg_k & SSL_kDHd)

[openssl_CVE-2015-1788_1433974681_BN_GF2m_mod_inv.diff] BN_GF2m_mod_inv_OLD.c #1
} # else { - int i, ubits = BN_num_bits(u), vbits = BN_num_bits(v), /* v is copy - * of p */ - top = p->top; + int i; + int ubits = BN_num_bits(u); + int vbits = BN_num_bits(v); /* v is copy of p */ + int top = p->top; BN_ULONG *udp, *bdp, *vdp, *cdp; bn_wexpand(u, top);
.\cloneFuncs\totalClone\Type-1\CVE-2015-1788_before_1mo_1430536231_BN_GF2m_mod_inv.c
51
52
53
54
55
56
57
58
59
60
v = tmp; tmp = b; b = c; c = tmp; } if (!BN_GF2m_add(u, u, v)) goto err; if (!BN_GF2m_add(b, b, c)) goto err;
+ show +
61
62
63
64
65
66
67
68
69
} # else { int i, ubits = BN_num_bits(u), vbits = BN_num_bits(v), /* v is copy * of p */ top = p->top; BN_ULONG *udp, *bdp, *vdp, *cdp; bn_wexpand(u, top);
+ show +
70
71
72
73
74
75
76
77
78
79
udp = u->d; for (i = u->top; i < top; i++) udp[i] = 0; u->top = top; bn_wexpand(b, top); bdp = b->d; bdp[0] = 1; for (i = 1; i < top; i++) bdp[i] = 0; b->top = top;

[openssl_CVE-2015-1788_1433974681_BN_GF2m_mod_inv.diff] BN_GF2m_mod_inv_OLD.c #2
ubits--; } - if (ubits <= BN_BITS2 && udp[0] == 1) - break; + if (ubits <= BN_BITS2) { + if (udp[0] == 0) /* poly was reducible */ + goto err; + if (udp[0] == 1) + break; + } if (ubits < vbits) { i = ubits;
.\cloneFuncs\totalClone\Type-1\CVE-2015-1788_before_1mo_1430536231_BN_GF2m_mod_inv.c
97
98
99
100
101
102
103
104
105
106
for (i = 0; i < top - 1; i++) { u1 = udp[i + 1]; udp[i] = ((u0 >> 1) | (u1 << (BN_BITS2 - 1))) & BN_MASK2; u0 = u1; b1 = bdp[i + 1] ^ (p->d[i + 1] & mask); bdp[i] = ((b0 >> 1) | (b1 << (BN_BITS2 - 1))) & BN_MASK2; b0 = b1; } udp[i] = u0 >> 1; bdp[i] = b0 >> 1;
+ show +
107
108
109
110
111
112
113
114
ubits--; } if (ubits <= BN_BITS2 && udp[0] == 1) break; if (ubits < vbits) { i = ubits;
+ show +
115
116
117
118
119
120
121
122
123
124
ubits = vbits; vbits = i; tmp = u; u = v; v = tmp; tmp = b; b = c; c = tmp; udp = vdp; vdp = v->d;

[openssl_CVE-2015-1790_1431450030_PKCS7_dataDecode.diff] PKCS7_dataDecode_OLD.c #4
goto err; } + /* Detached content must be supplied via in_bio instead. */ + if (data_body == NULL && in_bio == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); + goto err; + } + /* We will be checking the signature */ if (md_sk != NULL) { for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-1790_after_1mo_1444334427_PKCS7_dataDecode.c
69
70
71
72
73
74
75
76
77
78
} break; default: PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); goto err; } /* Detached content must be supplied via in_bio instead. */ if (data_body == NULL && in_bio == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+ show +
79
80
81
82
83
84
goto err; } /* We will be checking the signature */ if (md_sk != NULL) { for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
+ show +
85
86
87
88
89
90
91
92
93
94
xa = sk_X509_ALGOR_value(md_sk, i); if ((btmp = BIO_new(BIO_f_md())) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); goto err; } j = OBJ_obj2nid(xa->algorithm); evp_md = EVP_get_digestbynid(j); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,
.\cloneFuncs\totalClone\Type-1\CVE-2015-1790_before_imd_1431615408_PKCS7_dataDecode.c
55
56
57
58
59
60
61
62
63
64
data_body = p7->d.enveloped->enc_data->enc_data; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break; default: PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
+ show +
65
66
67
68
69
70
goto err; } /* We will be checking the signature */ if (md_sk != NULL) { for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
+ show +
71
72
73
74
75
76
77
78
79
80
xa = sk_X509_ALGOR_value(md_sk, i); if ((btmp = BIO_new(BIO_f_md())) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); goto err; } j = OBJ_obj2nid(xa->algorithm); evp_md = EVP_get_digestbynid(j); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,
.\cloneFuncs\totalClone\Type-3\CVE-2015-1790_after_6mo_1446203546_PKCS7_dataDecode.c
69
70
71
72
73
74
75
76
77
78
} break; default: PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); goto err; } /* Detached content must be supplied via in_bio instead. */ if (data_body == NULL && in_bio == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+ show +
79
80
81
82
83
84
goto err; } /* We will be checking the signature */ if (md_sk != NULL) { for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
+ show +
85
86
87
88
89
90
91
92
93
94
xa = sk_X509_ALGOR_value(md_sk, i); if ((btmp = BIO_new(BIO_f_md())) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); goto err; } j = OBJ_obj2nid(xa->algorithm); evp_md = EVP_get_digestbynid(j); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,
.\cloneFuncs\totalClone\Type-3\CVE-2015-1790_before_1mo_1427554455_PKCS7_dataDecode.c
55
56
57
58
59
60
61
62
63
64
data_body = p7->d.enveloped->enc_data->enc_data; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break; default: PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
+ show +
65
66
67
68
69
70
goto err; } /* We will be checking the signature */ if (md_sk != NULL) { for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
+ show +
71
72
73
74
75
76
77
78
79
80
xa = sk_X509_ALGOR_value(md_sk, i); if ((btmp = BIO_new(BIO_f_md())) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); goto err; } j = OBJ_obj2nid(xa->algorithm); evp_md = EVP_get_digestbynid(j); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,

[openssl_CVE-2015-1790_1431450030_PKCS7_dataDecode.diff] PKCS7_dataDecode_OLD.c #1
switch (i) { case NID_pkcs7_signed: + /* + * p7->d.sign->contents is a PKCS7 structure consisting of a contentType + * field and optional content. + * data_body is NULL if that structure has no (=detached) content + * or if the contentType is wrong (i.e., not "data"). + */ data_body = PKCS7_get_octet_string(p7->d.sign->contents); if (!PKCS7_is_detached(p7) && data_body == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,
.\cloneFuncs\totalClone\Type-1\CVE-2015-1790_before_imd_1431615408_PKCS7_dataDecode.c
20
21
22
23
24
25
26
27
28
29
} if (p7->d.ptr == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); return NULL; } i = OBJ_obj2nid(p7->type); p7->state = PKCS7_S_HEADER;
+ show +
30
31
32
33
34
switch (i) { case NID_pkcs7_signed: data_body = PKCS7_get_octet_string(p7->d.sign->contents); if (!PKCS7_is_detached(p7) && data_body == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+ show +
35
36
37
38
39
40
41
42
43
44
PKCS7_R_INVALID_SIGNED_DATA_TYPE); goto err; } md_sk = p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: rsk = p7->d.signed_and_enveloped->recipientinfo; md_sk = p7->d.signed_and_enveloped->md_algs; data_body = p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm;
.\cloneFuncs\totalClone\Type-3\CVE-2015-1790_before_1mo_1427554455_PKCS7_dataDecode.c
20
21
22
23
24
25
26
27
28
29
} if (p7->d.ptr == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); return NULL; } i = OBJ_obj2nid(p7->type); p7->state = PKCS7_S_HEADER;
+ show +
30
31
32
33
34
switch (i) { case NID_pkcs7_signed: data_body = PKCS7_get_octet_string(p7->d.sign->contents); if (!PKCS7_is_detached(p7) && data_body == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+ show +
35
36
37
38
39
40
41
42
43
44
PKCS7_R_INVALID_SIGNED_DATA_TYPE); goto err; } md_sk = p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: rsk = p7->d.signed_and_enveloped->recipientinfo; md_sk = p7->d.signed_and_enveloped->md_algs; data_body = p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm;

[openssl_CVE-2015-1790_1431450030_PKCS7_dataDecode.diff] PKCS7_dataDecode_OLD.c #2
case NID_pkcs7_signedAndEnveloped: rsk = p7->d.signed_and_enveloped->recipientinfo; md_sk = p7->d.signed_and_enveloped->md_algs; + /* data_body is NULL if the optional EncryptedContent is missing. */ data_body = p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
.\cloneFuncs\totalClone\Type-1\CVE-2015-1790_before_imd_1431615408_PKCS7_dataDecode.c
30
31
32
33
34
35
36
37
38
39
switch (i) { case NID_pkcs7_signed: data_body = PKCS7_get_octet_string(p7->d.sign->contents); if (!PKCS7_is_detached(p7) && data_body == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_SIGNED_DATA_TYPE); goto err; } md_sk = p7->d.sign->md_algs; break;
+ show +
40
41
42
43
44
45
case NID_pkcs7_signedAndEnveloped: rsk = p7->d.signed_and_enveloped->recipientinfo; md_sk = p7->d.signed_and_enveloped->md_algs; data_body = p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
+ show +
46
47
48
49
50
51
52
53
54
55
if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break; case NID_pkcs7_enveloped: rsk = p7->d.enveloped->recipientinfo; enc_alg = p7->d.enveloped->enc_data->algorithm; data_body = p7->d.enveloped->enc_data->enc_data;
.\cloneFuncs\totalClone\Type-3\CVE-2015-1790_before_1mo_1427554455_PKCS7_dataDecode.c
30
31
32
33
34
35
36
37
38
39
switch (i) { case NID_pkcs7_signed: data_body = PKCS7_get_octet_string(p7->d.sign->contents); if (!PKCS7_is_detached(p7) && data_body == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_SIGNED_DATA_TYPE); goto err; } md_sk = p7->d.sign->md_algs; break;
+ show +
40
41
42
43
44
45
case NID_pkcs7_signedAndEnveloped: rsk = p7->d.signed_and_enveloped->recipientinfo; md_sk = p7->d.signed_and_enveloped->md_algs; data_body = p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
+ show +
46
47
48
49
50
51
52
53
54
55
if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break; case NID_pkcs7_enveloped: rsk = p7->d.enveloped->recipientinfo; enc_alg = p7->d.enveloped->enc_data->algorithm; data_body = p7->d.enveloped->enc_data->enc_data;
.\cloneFuncs\totalClone\Type-4\CVE-2015-1790_before_6mo_1399501262_PKCS7_dataDecode.c
21
22
23
24
25
26
27
28
29
30
{ case NID_pkcs7_signed: data_body=PKCS7_get_octet_string(p7->d.sign->contents); if (!PKCS7_is_detached(p7) && data_body == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE); goto err; } md_sk=p7->d.sign->md_algs; break;
+ show +
31
32
33
34
35
36
case NID_pkcs7_signedAndEnveloped: rsk=p7->d.signed_and_enveloped->recipientinfo; md_sk=p7->d.signed_and_enveloped->md_algs; data_body=p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
+ show +
37
38
39
40
41
42
43
44
45
46
if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break; case NID_pkcs7_enveloped: rsk=p7->d.enveloped->recipientinfo; enc_alg=p7->d.enveloped->enc_data->algorithm; data_body=p7->d.enveloped->enc_data->enc_data;

[openssl_CVE-2015-1790_1431450030_PKCS7_dataDecode.diff] PKCS7_dataDecode_OLD.c #3
case NID_pkcs7_enveloped: rsk = p7->d.enveloped->recipientinfo; enc_alg = p7->d.enveloped->enc_data->algorithm; + /* data_body is NULL if the optional EncryptedContent is missing. */ data_body = p7->d.enveloped->enc_data->enc_data; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-1790_before_imd_1431615408_PKCS7_dataDecode.c
42
43
44
45
46
47
48
49
50
51
md_sk = p7->d.signed_and_enveloped->md_algs; data_body = p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break;
+ show +
52
53
54
55
56
57
case NID_pkcs7_enveloped: rsk = p7->d.enveloped->recipientinfo; enc_alg = p7->d.enveloped->enc_data->algorithm; data_body = p7->d.enveloped->enc_data->enc_data; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) {
+ show +
58
59
60
61
62
63
64
65
66
67
PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break; default: PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); goto err; }
.\cloneFuncs\totalClone\Type-3\CVE-2015-1790_before_1mo_1427554455_PKCS7_dataDecode.c
42
43
44
45
46
47
48
49
50
51
md_sk = p7->d.signed_and_enveloped->md_algs; data_body = p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break;
+ show +
52
53
54
55
56
57
case NID_pkcs7_enveloped: rsk = p7->d.enveloped->recipientinfo; enc_alg = p7->d.enveloped->enc_data->algorithm; data_body = p7->d.enveloped->enc_data->enc_data; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) {
+ show +
58
59
60
61
62
63
64
65
66
67
PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } break; default: PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); goto err; }

[openssl_CVE-2015-1790_1431450030_PKCS7_dataDecode.diff] PKCS7_dataDecode_OLD.c #5
BIO_push(out, etmp); etmp = NULL; } - if (PKCS7_is_detached(p7) || (in_bio != NULL)) { + if (in_bio != NULL) { bio = in_bio; } else { if (data_body->length > 0)
.\cloneFuncs\totalClone\Type-1\CVE-2015-1790_before_imd_1431615408_PKCS7_dataDecode.c
180
181
182
183
184
185
186
187
188
189
goto err; OPENSSL_clear_free(ek, eklen); ek = NULL; OPENSSL_clear_free(tkey, tkeylen); tkey = NULL; if (out == NULL) out = etmp; else
+ show +
190
191
192
193
194
195
196
BIO_push(out, etmp); etmp = NULL; } if (PKCS7_is_detached(p7) || (in_bio != NULL)) { bio = in_bio; } else { if (data_body->length > 0)
+ show +
197
198
199
200
201
202
203
204
205
206
bio = BIO_new_mem_buf(data_body->data, data_body->length); else { bio = BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(bio, 0); } if (bio == NULL) goto err; } BIO_push(out, bio); bio = NULL;
.\cloneFuncs\totalClone\Type-3\CVE-2015-1790_before_1mo_1427554455_PKCS7_dataDecode.c
187
188
189
190
191
192
193
194
195
196
} if (tkey) { OPENSSL_cleanse(tkey, tkeylen); OPENSSL_free(tkey); tkey = NULL; } if (out == NULL) out = etmp; else
+ show +
197
198
199
200
201
202
203
BIO_push(out, etmp); etmp = NULL; } if (PKCS7_is_detached(p7) || (in_bio != NULL)) { bio = in_bio; } else { if (data_body->length > 0)
+ show +
204
205
206
207
208
209
210
211
212
213
bio = BIO_new_mem_buf(data_body->data, data_body->length); else { bio = BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(bio, 0); } if (bio == NULL) goto err; } BIO_push(out, bio); bio = NULL;

[openssl_CVE-2015-1791_1433982606_ssl_session_dup.diff] ssl_session_dup_OLD.c #1
} memcpy(dest, src, sizeof(*dest)); + /* + * Set the various pointers to NULL so that we can call SSL_SESSION_free in + * the case of an error whilst halfway through constructing dest + */ +#ifndef OPENSSL_NO_PSK + dest->psk_identity_hint = NULL; + dest->psk_identity = NULL; +#endif + dest->ciphers = NULL; + dest->tlsext_hostname = NULL; +#ifndef OPENSSL_NO_EC + dest->tlsext_ecpointformatlist = NULL; + dest->tlsext_ellipticcurvelist = NULL; +#endif + dest->tlsext_tick = NULL; +#ifndef OPENSSL_NO_SRP + dest->srp_username = NULL; +#endif + memset(&dest->ex_data, 0, sizeof(dest->ex_data)); + + /* We deliberately don't copy the prev and next pointers */ + dest->prev = NULL; + dest->next = NULL; + + dest->references = 1; + + if (src->sess_cert != NULL) + CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT); + + if (src->peer != NULL) + CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); + #ifndef OPENSSL_NO_PSK if (src->psk_identity_hint) { dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint); if (dest->psk_identity_hint == NULL) { goto err; } - } else { - dest->psk_identity_hint = NULL; } if (src->psk_identity) { dest->psk_identity = BUF_strdup(src->psk_identity); if (dest->psk_identity == NULL) { goto err; } - } else { - dest->psk_identity = NULL; } #endif - if (src->sess_cert != NULL) - CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT); - - if (src->peer != NULL) - CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); - - dest->references = 1; - if(src->ciphers != NULL) { dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers); if (dest->ciphers == NULL) goto err; - } else { - dest->ciphers = NULL; } if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
.\cloneFuncs\totalClone\Type-1\CVE-2015-1791_before_imd_1431962868_ssl_session_dup.c
1
2
3
4
5
6
7
SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) { SSL_SESSION *dest; dest = OPENSSL_malloc(sizeof(*src)); if (dest == NULL) { goto err;
+ show +
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
} memcpy(dest, src, sizeof(*dest)); #ifndef OPENSSL_NO_PSK if (src->psk_identity_hint) { dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint); if (dest->psk_identity_hint == NULL) { goto err; } } else { dest->psk_identity_hint = NULL; } if (src->psk_identity) { dest->psk_identity = BUF_strdup(src->psk_identity); if (dest->psk_identity == NULL) { goto err; } } else { dest->psk_identity = NULL; } #endif if (src->sess_cert != NULL) CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT); if (src->peer != NULL) CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); dest->references = 1; if(src->ciphers != NULL) { dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers); if (dest->ciphers == NULL) goto err; } else { dest->ciphers = NULL; } if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
+ show +
47
48
49
50
51
52
53
54
55
56
&dest->ex_data, &src->ex_data)) { goto err; } /* We deliberately don't copy the prev and next pointers */ dest->prev = NULL; dest->next = NULL; #ifndef OPENSSL_NO_TLSEXT if (src->tlsext_hostname) {

[openssl_CVE-2015-1791_1433982606_ssl_session_dup.diff] ssl_session_dup_OLD.c #2
goto err; } - /* We deliberately don't copy the prev and next pointers */ - dest->prev = NULL; - dest->next = NULL; - -#ifndef OPENSSL_NO_TLSEXT if (src->tlsext_hostname) { dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname); if (dest->tlsext_hostname == NULL) { goto err; } - } else { - dest->tlsext_hostname = NULL; } -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC if (src->tlsext_ecpointformatlist) { dest->tlsext_ecpointformatlist = BUF_memdup(src->tlsext_ecpointformatlist, src->tlsext_ecpointformatlist_length); if (dest->tlsext_ecpointformatlist == NULL) goto err; - dest->tlsext_ecpointformatlist_length = - src->tlsext_ecpointformatlist_length; } if (src->tlsext_ellipticcurvelist) { dest->tlsext_ellipticcurvelist =
.\cloneFuncs\totalClone\Type-1\CVE-2015-1791_before_imd_1431962868_ssl_session_dup.c
38
39
40
41
42
43
44
45
46
47
if(src->ciphers != NULL) { dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers); if (dest->ciphers == NULL) goto err; } else { dest->ciphers = NULL; } if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &dest->ex_data, &src->ex_data)) {
+ show +
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
goto err; } /* We deliberately don't copy the prev and next pointers */ dest->prev = NULL; dest->next = NULL; #ifndef OPENSSL_NO_TLSEXT if (src->tlsext_hostname) { dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname); if (dest->tlsext_hostname == NULL) { goto err; } } else { dest->tlsext_hostname = NULL; } # ifndef OPENSSL_NO_EC if (src->tlsext_ecpointformatlist) { dest->tlsext_ecpointformatlist = BUF_memdup(src->tlsext_ecpointformatlist, src->tlsext_ecpointformatlist_length); if (dest->tlsext_ecpointformatlist == NULL) goto err; dest->tlsext_ecpointformatlist_length = src->tlsext_ecpointformatlist_length; } if (src->tlsext_ellipticcurvelist) { dest->tlsext_ellipticcurvelist =
+ show +
76
77
78
79
80
81
82
83
84
85
BUF_memdup(src->tlsext_ellipticcurvelist, src->tlsext_ellipticcurvelist_length); if (dest->tlsext_ellipticcurvelist == NULL) goto err; dest->tlsext_ellipticcurvelist_length = src->tlsext_ellipticcurvelist_length; } # endif #endif

[openssl_CVE-2015-1793_1435222035_X509_verify_cert.diff] X509_verify_cert_OLD.c #1
X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } + if (ctx->chain != NULL) { + /* + * This X509_STORE_CTX has already been used to verify a cert. We + * cannot do another one. + */ + X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } cb = ctx->verify_cb;
.\cloneFuncs\totalClone\Type-1\CVE-2015-1793_before_imd_1435157736_X509_verify_cert.c
1
2
3
4
5
6
7
8
9
10
int X509_verify_cert(X509_STORE_CTX *ctx) { X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; int depth, i, ok = 0; int num, j, retry; int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) {
+ show +
11
12
13
14
15
X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } cb = ctx->verify_cb;
+ show +
16
17
18
19
20
21
22
23
24
25
/* * first we make sure the chain we are going to build is present and that * the first entry is in place */ if (ctx->chain == NULL) { if (((ctx->chain = sk_X509_new_null()) == NULL) || (!sk_X509_push(ctx->chain, ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end;
.\cloneFuncs\totalClone\Type-2\CVE-2015-1793_before_1mo_1431615408_X509_verify_cert.c
1
2
3
4
5
6
7
8
9
10
int X509_verify_cert(X509_STORE_CTX *ctx) { X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; int depth, i, ok = 0; int num, j, retry; int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) {
+ show +
11
12
13
14
15
X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } cb = ctx->verify_cb;
+ show +
16
17
18
19
20
21
22
23
24
25
/* * first we make sure the chain we are going to build is present and that * the first entry is in place */ if (ctx->chain == NULL) { if (((ctx->chain = sk_X509_new_null()) == NULL) || (!sk_X509_push(ctx->chain, ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end;
.\cloneFuncs\totalClone\Type-4\CVE-2015-1793_before_6mo_1410215688_X509_verify_cert.c
2
3
4
5
6
7
8
9
10
11
{ X509 *x,*xtmp,*chain_ss=NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; int depth,i,ok=0; int num; int (*cb)(int xok,X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp=NULL; if (ctx->cert == NULL) {
+ show +
12
13
14
15
16
X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } cb=ctx->verify_cb;
+ show +
17
18
19
20
21
22
23
24
25
26
/* first we make sure the chain we are going to build is * present and that the first entry is in place */ if (ctx->chain == NULL) { if ( ((ctx->chain=sk_X509_new_null()) == NULL) || (!sk_X509_push(ctx->chain,ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end;

[openssl_CVE-2015-1793_1435222035_X509_verify_cert.diff] X509_verify_cert_OLD.c #2
* first we make sure the chain we are going to build is present and that * the first entry is in place */ - if (ctx->chain == NULL) { - if (((ctx->chain = sk_X509_new_null()) == NULL) || - (!sk_X509_push(ctx->chain, ctx->cert))) { - X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); - goto end; - } - CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); - ctx->last_untrusted = 1; + if (((ctx->chain = sk_X509_new_null()) == NULL) || + (!sk_X509_push(ctx->chain, ctx->cert))) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + goto end; } + CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); + ctx->last_untrusted = 1; /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL
.\cloneFuncs\totalClone\Type-1\CVE-2015-1793_before_imd_1435157736_X509_verify_cert.c
8
9
10
11
12
13
14
15
16
17
int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } cb = ctx->verify_cb; /*
+ show +
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
* first we make sure the chain we are going to build is present and that * the first entry is in place */ if (ctx->chain == NULL) { if (((ctx->chain = sk_X509_new_null()) == NULL) || (!sk_X509_push(ctx->chain, ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end; } CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); ctx->last_untrusted = 1; } /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL
+ show +
33
34
35
36
37
38
39
40
41
42
&& (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end; } num = sk_X509_num(ctx->chain); x = sk_X509_value(ctx->chain, num - 1); depth = param->depth; for (;;) {
.\cloneFuncs\totalClone\Type-2\CVE-2015-1793_before_1mo_1431615408_X509_verify_cert.c
8
9
10
11
12
13
14
15
16
17
int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } cb = ctx->verify_cb; /*
+ show +
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
* first we make sure the chain we are going to build is present and that * the first entry is in place */ if (ctx->chain == NULL) { if (((ctx->chain = sk_X509_new_null()) == NULL) || (!sk_X509_push(ctx->chain, ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end; } CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); ctx->last_untrusted = 1; } /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL
+ show +
33
34
35
36
37
38
39
40
41
42
&& (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end; } num = sk_X509_num(ctx->chain); x = sk_X509_value(ctx->chain, num - 1); depth = param->depth; for (;;) {

[openssl_CVE-2015-1794_1439204429_BN_MONT_CTX_set.diff] BN_MONT_CTX_set_OLD.c #1
int ret = 0; BIGNUM *Ri, *R; + if (BN_is_zero(mod)) + return 0; + BN_CTX_start(ctx); if ((Ri = BN_CTX_get(ctx)) == NULL) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2015-1794_before_1mo_1431615408_BN_MONT_CTX_set.c
1
2
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {
+ show +
3
4
5
6
7
8
int ret = 0; BIGNUM *Ri, *R; BN_CTX_start(ctx); if ((Ri = BN_CTX_get(ctx)) == NULL) goto err;
+ show +
9
10
11
12
13
14
15
16
17
18
R = &(mont->RR); /* grab RR as a temp */ if (!BN_copy(&(mont->N), mod)) goto err; /* Set N */ mont->N.neg = 0; #ifdef MONT_WORD { BIGNUM tmod; BN_ULONG buf[2];

[xen_CVE-2015-2044_1425558894_vpic_intercept_pic_io.diff] vpic_intercept_pic_io_OLD.c #1
if ( bytes != 1 ) { gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); + *val = ~0; return X86EMUL_OKAY; }
.\cloneFuncs\totalClone\Type-1\CVE-2015-2044_before_1mo_1397038560_vpic_intercept_pic_io.c
1
2
3
4
5
static int vpic_intercept_pic_io( int dir, uint32_t port, uint32_t bytes, uint32_t *val) { struct hvm_hw_vpic *vpic;
+ show +
6
7
8
9
10
if ( bytes != 1 ) { gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); return X86EMUL_OKAY; }
+ show +
11
12
13
14
15
16
17
18
19
20
vpic = &current->domain->arch.hvm_domain.vpic[port >> 7]; if ( dir == IOREQ_WRITE ) vpic_ioport_write(vpic, port, (uint8_t)*val); else *val = (uint8_t)vpic_ioport_read(vpic, port); return X86EMUL_OKAY; }

[linux_CVE-2015-2150_1426081877_command_write.diff] command_write_OLD.c #1
{ struct xen_pcibk_dev_data *dev_data; int err; + u16 val; + struct pci_cmd_info *cmd = data; dev_data = pci_get_drvdata(dev); if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-2150_before_imd_1372414901_command_write.c
1
static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
+ show +
2
3
4
5
6
7
{ struct xen_pcibk_dev_data *dev_data; int err; dev_data = pci_get_drvdata(dev); if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
+ show +
8
9
10
11
12
13
14
15
16
17
if (unlikely(verbose_request)) printk(KERN_DEBUG DRV_NAME ": %s: enable\n", pci_name(dev)); err = pci_enable_device(dev); if (err) return err; if (dev_data) dev_data->enable_intx = 1; } else if (pci_is_enabled(dev) && !is_enable_cmd(value)) { if (unlikely(verbose_request))
.\cloneFuncs\totalClone\Type-3\CVE-2015-2150_before_1mo_1316636531_command_write.c
1
static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
+ show +
2
3
4
5
6
7
{ struct xen_pcibk_dev_data *dev_data; int err; dev_data = pci_get_drvdata(dev); if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
+ show +
8
9
10
11
12
13
14
15
16
17
if (unlikely(verbose_request)) printk(KERN_DEBUG DRV_NAME ": %s: enable\n", pci_name(dev)); err = pci_enable_device(dev); if (err) return err; if (dev_data) dev_data->enable_intx = 1; } else if (pci_is_enabled(dev) && !is_enable_cmd(value)) { if (unlikely(verbose_request))

[qemu_CVE-2015-7504_1448000431_pcnet_transmit.diff] pcnet_transmit_OLD.c #1
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); /* if multi-tmd packet outsizes s->buffer then skip it silently. - Note: this is not what real hw does */ - if (s->xmit_pos + bcnt > sizeof(s->buffer)) { + * Note: this is not what real hw does. + * Last four bytes of s->buffer are used to store CRC FCS code. + */ + if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { s->xmit_pos = -1; goto txdone; }
.\cloneFuncs\totalClone\Type-1\CVE-2015-3209_after_1mo_1438005222_pcnet_transmit.c
36
37
38
39
40
41
42
43
44
45
SET_FIELD(&tmd.status, TMDS, OWN, 0); s->csr[0] |= 0xa000; /* ERR | CERR */ s->xmit_pos = -1; goto txdone; } if (s->xmit_pos < 0) { goto txdone; }
+ show +
46
47
48
49
50
51
52
53
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); /* if multi-tmd packet outsizes s->buffer then skip it silently. Note: this is not what real hw does */ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { s->xmit_pos = -1; goto txdone; }
+ show +
54
55
56
57
58
59
60
61
62
63
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); s->xmit_pos += bcnt; if (!GET_FIELD(tmd.status, TMDS, ENP)) { goto txdone; } #ifdef PCNET_DEBUG

[qemu_CVE-2015-3209_1432457624_pcnet_transmit.diff] pcnet_transmit_OLD.c #1
} bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); + + /* if multi-tmd packet outsizes s->buffer then skip it silently. + Note: this is not what real hw does */ + if (s->xmit_pos + bcnt > sizeof(s->buffer)) { + s->xmit_pos = -1; + goto txdone; + } + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); s->xmit_pos += bcnt;
.\cloneFuncs\totalClone\Type-1\CVE-2015-3209_before_1mo_1421436099_pcnet_transmit.c
34
35
36
37
38
39
40
41
42
43
SET_FIELD(&tmd.misc, TMDM, LCAR, 1); SET_FIELD(&tmd.status, TMDS, ERR, 1); SET_FIELD(&tmd.status, TMDS, OWN, 0); s->csr[0] |= 0xa000; /* ERR | CERR */ s->xmit_pos = -1; goto txdone; } if (s->xmit_pos < 0) { goto txdone;
+ show +
44
45
46
47
48
49
} bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); s->xmit_pos += bcnt;
+ show +
50
51
52
53
54
55
56
57
58
59
if (!GET_FIELD(tmd.status, TMDS, ENP)) { goto txdone; } #ifdef PCNET_DEBUG printf("pcnet_transmit size=%d\n", s->xmit_pos); #endif if (CSR_LOOP(s)) { if (BCR_SWSTYLE(s) == 1)

[qemu_CVE-2015-3214_1434537971_pit_ioport_read.diff] pit_ioport_read_OLD.c #1
PITChannelState *s; addr &= 3; + + if (addr == 3) { + /* Mode/Command register is write only, read is ignored */ + return 0; + } + s = &pit->channels[addr]; if (s->status_latched) { s->status_latched = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2015-3214_before_1mo_1391853713_pit_ioport_read.c
1
2
3
4
5
static uint64_t pit_ioport_read(void *opaque, hwaddr addr, unsigned size) { PITCommonState *pit = opaque; int ret, count;
+ show +
6
7
8
9
10
11
PITChannelState *s; addr &= 3; s = &pit->channels[addr]; if (s->status_latched) { s->status_latched = 0;
+ show +
12
13
14
15
16
17
18
19
20
21
ret = s->status; } else if (s->count_latched) { switch(s->count_latched) { default: case RW_STATE_LSB: ret = s->latched_count & 0xff; s->count_latched = 0; break; case RW_STATE_MSB: ret = s->latched_count >> 8;

[ffmpeg_CVE-2015-3395_1432583606_msrle_decode_pal4.diff] msrle_decode_pal4_OLD.c #1
unsigned int pixel_ptr = 0; int row_dec = pic->linesize[0]; int row_ptr = (avctx->height - 1) * row_dec; - int frame_size = row_dec * avctx->height; + int frame_size = FFABS(row_dec) * avctx->height; int i; while (row_ptr >= 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2015-3395_before_1mo_1333213854_msrle_decode_pal4.c
1
2
3
4
5
6
static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, GetByteContext *gb) { unsigned char rle_code; unsigned char extra_byte, odd_pixel; unsigned char stream_byte;
+ show +
7
8
9
10
11
12
13
unsigned int pixel_ptr = 0; int row_dec = pic->linesize[0]; int row_ptr = (avctx->height - 1) * row_dec; int frame_size = row_dec * avctx->height; int i; while (row_ptr >= 0) {
+ show +
14
15
16
17
18
19
20
21
22
23
if (bytestream2_get_bytes_left(gb) <= 0) { av_log(avctx, AV_LOG_ERROR, "MS RLE: bytestream overrun, %d rows left\n", row_ptr); return AVERROR_INVALIDDATA; } rle_code = stream_byte = bytestream2_get_byteu(gb); if (rle_code == 0) { /* fetch the next byte to see how to handle escape code */ stream_byte = bytestream2_get_byte(gb);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3395_before_6mo_1329117840_msrle_decode_pal4.c
1
2
3
4
5
6
7
static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, const uint8_t *data, int data_size) { int stream_ptr = 0; unsigned char rle_code; unsigned char extra_byte, odd_pixel; unsigned char stream_byte;
+ show +
8
9
10
11
12
13
14
unsigned int pixel_ptr = 0; int row_dec = pic->linesize[0]; int row_ptr = (avctx->height - 1) * row_dec; int frame_size = row_dec * avctx->height; int i; while (row_ptr >= 0) {
+ show +
15
16
17
18
19
20
21
22
23
24
FETCH_NEXT_STREAM_BYTE(); rle_code = stream_byte; if (rle_code == 0) { /* fetch the next byte to see how to handle escape code */ FETCH_NEXT_STREAM_BYTE(); if (stream_byte == 0) { /* line is done, goto the next one */ row_ptr -= row_dec; pixel_ptr = 0; } else if (stream_byte == 1) {

[ffmpeg_CVE-2015-3417_1432585810_ff_h264_decode_slice_header.diff] ff_h264_decode_slice_header_OLD.c #1
} if (h->context_initialized && needs_reinit) { + h->context_initialized = 0; if (sl != h->slice_ctx) { av_log(h->avctx, AV_LOG_ERROR, "changing width %d -> %d / height %d -> %d on "
.\cloneFuncs\totalClone\Type-1\CVE-2015-3417_before_imd_1431334367_ff_h264_decode_slice_header.c
131
132
133
134
135
136
137
138
139
140
if (h->sps.video_signal_type_present_flag) { h->avctx->color_range = h->sps.full_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; if (h->sps.colour_description_present_flag) { if (h->avctx->colorspace != h->sps.colorspace) needs_reinit = 1; h->avctx->color_primaries = h->sps.color_primaries; h->avctx->color_trc = h->sps.color_trc; h->avctx->colorspace = h->sps.colorspace; }
+ show +
141
142
143
144
145
146
} if (h->context_initialized && needs_reinit) { if (sl != h->slice_ctx) { av_log(h->avctx, AV_LOG_ERROR, "changing width %d -> %d / height %d -> %d on "
+ show +
147
148
149
150
151
152
153
154
155
156
"slice %d\n", h->width, h->avctx->coded_width, h->height, h->avctx->coded_height, h->current_slice + 1); return AVERROR_INVALIDDATA; } ff_h264_flush_change(h); if ((ret = get_pixel_format(h)) < 0)
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_before_1mo_1426496256_ff_h264_decode_slice_header.c
122
123
124
125
126
127
128
129
130
131
if (h->sps.video_signal_type_present_flag) { h->avctx->color_range = h->sps.full_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; if (h->sps.colour_description_present_flag) { if (h->avctx->colorspace != h->sps.colorspace) needs_reinit = 1; h->avctx->color_primaries = h->sps.color_primaries; h->avctx->color_trc = h->sps.color_trc; h->avctx->colorspace = h->sps.colorspace; }
+ show +
132
133
134
135
136
137
} if (h->context_initialized && needs_reinit) { if (sl != h->slice_ctx) { av_log(h->avctx, AV_LOG_ERROR, "changing width %d -> %d / height %d -> %d on "
+ show +
138
139
140
141
142
143
144
145
146
147
"slice %d\n", h->width, h->avctx->coded_width, h->height, h->avctx->coded_height, h->current_slice + 1); return AVERROR_INVALIDDATA; } ff_h264_flush_change(h); if ((ret = get_pixel_format(h)) < 0)

[qemu_CVE-2015-3456_1432214377_fdctrl_read_data.diff] fdctrl_read_data_OLD.c #1
} if (++fdctrl->data_pos == fdctrl->data_len) { + fdctrl->msr &= ~FD_MSR_RQM; fdctrl_stop_transfer(fdctrl, 0x00, 0x00, 0x00); } break;
.\cloneFuncs\totalClone\Type-1\CVE-2015-3456_before_imd_1432214376_fdctrl_read_data.c
27
28
29
30
31
32
33
34
35
36
fd_sector(cur_drv)); return 0; } if (blk_read(cur_drv->blk, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) { FLOPPY_DPRINTF("error getting sector %d\n", fd_sector(cur_drv)); /* Sure, image size is too small... */ memset(fdctrl->fifo, 0, FD_SECTOR_LEN); }
+ show +
37
38
39
40
41
42
} if (++fdctrl->data_pos == fdctrl->data_len) { fdctrl_stop_transfer(fdctrl, 0x00, 0x00, 0x00); } break;
+ show +
43
44
45
46
47
48
49
50
51
52
case FD_PHASE_RESULT: assert(!(fdctrl->msr & FD_MSR_NONDMA)); if (++fdctrl->data_pos == fdctrl->data_len) { fdctrl_to_command_phase(fdctrl); fdctrl_reset_irq(fdctrl); } break; case FD_PHASE_COMMAND:

[qemu_CVE-2015-3456_1432214377_fdctrl_read_data.diff] fdctrl_read_data_OLD.c #2
case FD_PHASE_RESULT: assert(!(fdctrl->msr & FD_MSR_NONDMA)); if (++fdctrl->data_pos == fdctrl->data_len) { + fdctrl->msr &= ~FD_MSR_RQM; fdctrl_to_command_phase(fdctrl); fdctrl_reset_irq(fdctrl); }
.\cloneFuncs\totalClone\Type-1\CVE-2015-3456_before_imd_1432214376_fdctrl_read_data.c
34
35
36
37
38
39
40
41
42
43
/* Sure, image size is too small... */ memset(fdctrl->fifo, 0, FD_SECTOR_LEN); } } if (++fdctrl->data_pos == fdctrl->data_len) { fdctrl_stop_transfer(fdctrl, 0x00, 0x00, 0x00); } break;
+ show +
44
45
46
47
48
49
case FD_PHASE_RESULT: assert(!(fdctrl->msr & FD_MSR_NONDMA)); if (++fdctrl->data_pos == fdctrl->data_len) { fdctrl_to_command_phase(fdctrl); fdctrl_reset_irq(fdctrl); }
+ show +
50
51
52
53
54
55
56
57
58
59
break; case FD_PHASE_COMMAND: default: abort(); } retval = fdctrl->fifo[pos]; FLOPPY_DPRINTF("data register: 0x%02x\n", retval);

[qemu_CVE-2015-3456_1432214377_fdctrl_write_data.diff] fdctrl_write_data_OLD.c #1
pos %= FD_SECTOR_LEN; fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + fdctrl->msr &= ~FD_MSR_RQM; + } + switch (fdctrl->phase) { case FD_PHASE_EXECUTION: /* For DMA requests, RQM should be cleared during execution phase, so
.\cloneFuncs\totalClone\Type-1\CVE-2015-3456_before_imd_1432214376_fdctrl_write_data.c
14
15
16
17
18
19
20
21
22
23
return; } fdctrl->dsr &= ~FD_DSR_PWRDOWN; FLOPPY_DPRINTF("%s: %02x\n", __func__, value); /* If data_len spans multiple sectors, the current position in the FIFO * wraps around while fdctrl->data_pos is the real position in the whole * request. */ pos = fdctrl->data_pos++;
+ show +
24
25
26
27
28
29
pos %= FD_SECTOR_LEN; fdctrl->fifo[pos] = value; switch (fdctrl->phase) { case FD_PHASE_EXECUTION: /* For DMA requests, RQM should be cleared during execution phase, so
+ show +
30
31
32
33
34
35
36
37
38
39
* we would have errored out above. */ assert(fdctrl->msr & FD_MSR_NONDMA); /* FIFO data write */ if (pos == FD_SECTOR_LEN - 1 || fdctrl->data_pos == fdctrl->data_len) { cur_drv = get_cur_drv(fdctrl); if (blk_write(cur_drv->blk, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) { FLOPPY_DPRINTF("error writing sector %d\n",

[qemu_CVE-2015-3456_1432214377_fdctrl_write_data.diff] fdctrl_write_data_OLD.c #2
* as many parameters as this command requires. */ cmd = get_command(value); fdctrl->data_len = cmd->parameters + 1; + if (cmd->parameters) { + fdctrl->msr |= FD_MSR_RQM; + } fdctrl->msr |= FD_MSR_CMDBUSY; }
.\cloneFuncs\totalClone\Type-1\CVE-2015-3456_before_imd_1432214376_fdctrl_write_data.c
52
53
54
55
56
57
58
59
60
61
fdctrl_stop_transfer(fdctrl, 0x00, 0x00, 0x00); } break; case FD_PHASE_COMMAND: assert(!(fdctrl->msr & FD_MSR_NONDMA)); assert(fdctrl->data_pos < FD_SECTOR_LEN); if (pos == 0) { /* The first byte specifies the command. Now we start reading
+ show +
62
63
64
65
66
* as many parameters as this command requires. */ cmd = get_command(value); fdctrl->data_len = cmd->parameters + 1; fdctrl->msr |= FD_MSR_CMDBUSY; }
+ show +
67
68
69
70
71
72
73
74
75
76
if (fdctrl->data_pos == fdctrl->data_len) { /* We have all parameters now, execute the command */ fdctrl->phase = FD_PHASE_EXECUTION; if (fdctrl->data_state & FD_STATE_FORMAT) { fdctrl_format_sector(fdctrl); break; }

[qemu_CVE-2015-4037_1432811546_slirp_smb.diff] slirp_smb_OLD.c #1
static int slirp_smb(SlirpState* s, const char *exported_dir, struct in_addr vserver_addr) { - static int instance; char smb_conf[128]; char smb_cmdline[128]; struct passwd *passwd;
.\cloneFuncs\totalClone\Type-1\CVE-2015-4037_before_1mo_1423228704_slirp_smb.c
+ show +
1
2
3
4
5
6
7
static int slirp_smb(SlirpState* s, const char *exported_dir, struct in_addr vserver_addr) { static int instance; char smb_conf[128]; char smb_cmdline[128]; struct passwd *passwd;
+ show +
8
9
10
11
12
13
14
15
16
17
FILE *f; passwd = getpwuid(geteuid()); if (!passwd) { error_report("failed to retrieve user name"); return -1; } if (access(CONFIG_SMBD_COMMAND, F_OK)) { error_report("could not find '%s', please install it",

[qemu_CVE-2015-4037_1432811546_slirp_smb.diff] slirp_smb_OLD.c #2
return -1; } - snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", - (long)getpid(), instance++); - if (mkdir(s->smb_dir, 0700) < 0) { + snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX"); + if (!mkdtemp(s->smb_dir)) { error_report("could not create samba server dir '%s'", s->smb_dir); + s->smb_dir[0] = 0; return -1; } snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");
.\cloneFuncs\totalClone\Type-1\CVE-2015-4037_before_1mo_1423228704_slirp_smb.c
15
16
17
18
19
20
21
22
23
24
if (access(CONFIG_SMBD_COMMAND, F_OK)) { error_report("could not find '%s', please install it", CONFIG_SMBD_COMMAND); return -1; } if (access(exported_dir, R_OK | X_OK)) { error_report("error accessing shared directory '%s': %s", exported_dir, strerror(errno));
+ show +
25
26
27
28
29
30
31
32
33
34
return -1; } snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", (long)getpid(), instance++); if (mkdir(s->smb_dir, 0700) < 0) { error_report("could not create samba server dir '%s'", s->smb_dir); return -1; } snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");
+ show +
35
36
37
38
39
40
41
42
43
44
f = fopen(smb_conf, "w"); if (!f) { slirp_smb_cleanup(s); error_report("could not create samba server configuration file '%s'", smb_conf); return -1; } fprintf(f, "[global]\n"

[xen_CVE-2015-4164_1434026687_compat_iret.diff] compat_iret_OLD.c #1
} else if ( ksp > regs->_esp ) { - for (i = 9; i > 0; ++i) + for ( i = 9; i > 0; --i ) { rc |= __get_user(x, (u32 *)regs->rsp + i); rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);
.\cloneFuncs\totalClone\Type-1\CVE-2015-4164_before_imd_1427364508_compat_iret.c
41
42
43
44
45
46
47
48
49
50
gdprintk(XENLOG_ERR, "VM86 mode unavailable (ksp:%08X->%08X)\n", regs->_esp, ksp); if ( ksp < regs->_esp ) { for (i = 1; i < 10; ++i) { rc |= __get_user(x, (u32 *)regs->rsp + i); rc |= __put_user(x, (u32 *)(unsigned long)ksp + i); }
+ show +
51
52
53
54
55
56
57
} else if ( ksp > regs->_esp ) { for (i = 9; i > 0; ++i) { rc |= __get_user(x, (u32 *)regs->rsp + i); rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);
+ show +
58
59
60
61
62
63
64
65
66
67
} } if ( rc ) goto exit_and_crash; regs->_esp = ksp; regs->ss = v->arch.pv_vcpu.kernel_ss; ti = &v->arch.pv_vcpu.trap_ctxt[TRAP_gp_fault]; if ( TI_GET_IF(ti) ) eflags &= ~X86_EFLAGS_IF;
.\cloneFuncs\totalClone\Type-2\CVE-2015-4164_before_1mo_1402398827_compat_iret.c
41
42
43
44
45
46
47
48
49
50
gdprintk(XENLOG_ERR, "VM86 mode unavailable (ksp:%08X->%08X)\n", regs->_esp, ksp); if ( ksp < regs->_esp ) { for (i = 1; i < 10; ++i) { rc |= __get_user(x, (u32 *)regs->rsp + i); rc |= __put_user(x, (u32 *)(unsigned long)ksp + i); }
+ show +
51
52
53
54
55
56
57
} else if ( ksp > regs->_esp ) { for (i = 9; i > 0; ++i) { rc |= __get_user(x, (u32 *)regs->rsp + i); rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);
+ show +
58
59
60
61
62
63
64
65
66
67
} } if ( rc ) goto exit_and_crash; regs->_esp = ksp; regs->ss = v->arch.pv_vcpu.kernel_ss; ti = &v->arch.pv_vcpu.trap_ctxt[TRAP_gp_fault]; if ( TI_GET_IF(ti) ) eflags &= ~X86_EFLAGS_IF;

[qemu_CVE-2015-5154_1437968573_ide_data_readl.diff] ide_data_readl_OLD.c #1
} p = s->data_ptr; + if (p + 4 > s->data_end) { + return 0; + } + ret = cpu_to_le32(*(uint32_t *)p); p += 4; s->data_ptr = p;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5154_before_1mo_1411474194_ide_data_readl.c
2
3
4
5
6
7
8
9
10
11
{ IDEBus *bus = opaque; IDEState *s = idebus_active_if(bus); uint8_t *p; int ret; /* PIO data access allowed only when DRQ bit is set. The result of a read * during PIO in is indeterminate, return 0 and don't move forward. */ if (!(s->status & DRQ_STAT) || !ide_is_pio_out(s)) { return 0;
+ show +
12
13
14
15
16
17
} p = s->data_ptr; ret = cpu_to_le32(*(uint32_t *)p); p += 4; s->data_ptr = p;
+ show +
18
19
20
21
if (p >= s->data_end) s->end_transfer_func(s); return ret; }

[qemu_CVE-2015-5154_1437968573_ide_data_readw.diff] ide_data_readw_OLD.c #1
} p = s->data_ptr; + if (p + 2 > s->data_end) { + return 0; + } + ret = cpu_to_le16(*(uint16_t *)p); p += 2; s->data_ptr = p;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5154_before_1mo_1411474194_ide_data_readw.c
2
3
4
5
6
7
8
9
10
11
{ IDEBus *bus = opaque; IDEState *s = idebus_active_if(bus); uint8_t *p; int ret; /* PIO data access allowed only when DRQ bit is set. The result of a read * during PIO in is indeterminate, return 0 and don't move forward. */ if (!(s->status & DRQ_STAT) || !ide_is_pio_out(s)) { return 0;
+ show +
12
13
14
15
16
17
} p = s->data_ptr; ret = cpu_to_le16(*(uint16_t *)p); p += 2; s->data_ptr = p;
+ show +
18
19
20
21
if (p >= s->data_end) s->end_transfer_func(s); return ret; }

[qemu_CVE-2015-5165_1436978369_rtl8139_cplus_transmit_one.diff] rtl8139_cplus_transmit_one_OLD.c #1
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); + /* Invalid TCP data offset? */ + if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) { + goto skip_offload; + } + /* ETH_MTU = ip header len + tcp header len + payload */ int tcp_data_len = ip_data_len - tcp_hlen; int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5165_before_imd_1436978175_rtl8139_cplus_transmit_one.c
274
275
276
277
278
279
280
281
282
283
/* save IP header template; data area is used in tcp checksum calculation */ memcpy(saved_ip_header, eth_payload_data, hlen); /* a placeholder for checksum calculation routine in tcp case */ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; // size_t data_to_checksum_len = eth_payload_len - hlen + 12; /* pointer to TCP header */ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
+ show +
284
285
286
287
288
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); /* ETH_MTU = ip header len + tcp header len + payload */ int tcp_data_len = ip_data_len - tcp_hlen; int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
+ show +
289
290
291
292
293
294
295
296
297
298
DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " "data len %d TCP chunk size %d\n", ip_data_len, tcp_hlen, tcp_data_len, tcp_chunk_size); /* note the cycle below overwrites IP header data, but restores it from saved_ip_header before sending packet */ int is_last_frame = 0;
.\cloneFuncs\totalClone\Type-4\CVE-2015-5165_before_1mo_1411474194_rtl8139_cplus_transmit_one.c
262
263
264
265
266
267
268
269
270
271
/* save IP header template; data area is used in tcp checksum calculation */ memcpy(saved_ip_header, eth_payload_data, hlen); /* a placeholder for checksum calculation routine in tcp case */ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; // size_t data_to_checksum_len = eth_payload_len - hlen + 12; /* pointer to TCP header */ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
+ show +
272
273
274
275
276
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); /* ETH_MTU = ip header len + tcp header len + payload */ int tcp_data_len = ip_data_len - tcp_hlen; int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
+ show +
277
278
279
280
281
282
283
284
285
286
DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " "data len %d TCP chunk size %d\n", ip_data_len, tcp_hlen, tcp_data_len, tcp_chunk_size); /* note the cycle below overwrites IP header data, but restores it from saved_ip_header before sending packet */ int is_last_frame = 0;
.\cloneFuncs\totalClone\Type-4\CVE-2015-5165_before_6mo_1419353599_rtl8139_cplus_transmit_one.c
276
277
278
279
280
281
282
283
284
285
/* save IP header template; data area is used in tcp checksum calculation */ memcpy(saved_ip_header, eth_payload_data, hlen); /* a placeholder for checksum calculation routine in tcp case */ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; // size_t data_to_checksum_len = eth_payload_len - hlen + 12; /* pointer to TCP header */ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
+ show +
286
287
288
289
290
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); /* ETH_MTU = ip header len + tcp header len + payload */ int tcp_data_len = ip_data_len - tcp_hlen; int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
+ show +
291
292
293
294
295
296
297
298
299
300
DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " "data len %d TCP chunk size %d\n", ip_data_len, tcp_hlen, tcp_data_len, tcp_chunk_size); /* note the cycle below overwrites IP header data, but restores it from saved_ip_header before sending packet */ int is_last_frame = 0;

[qemu_CVE-2015-5225_1439834213_vnc_refresh_server_surface.diff] vnc_refresh_server_surface_OLD.c #1
pixman_image_get_width(vd->server)); int height = MIN(pixman_image_get_height(vd->guest.fb), pixman_image_get_height(vd->server)); - int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; + int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0; uint8_t *guest_row0 = NULL, *server_row0; VncState *vs; int has_dirty = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5225_before_1mo_1436878300_vnc_refresh_server_surface.c
1
2
3
static int vnc_refresh_server_surface(VncDisplay *vd) { int width = MIN(pixman_image_get_width(vd->guest.fb),
+ show +
4
5
6
7
8
9
10
pixman_image_get_width(vd->server)); int height = MIN(pixman_image_get_height(vd->guest.fb), pixman_image_get_height(vd->server)); int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; uint8_t *guest_row0 = NULL, *server_row0; VncState *vs; int has_dirty = 0;
+ show +
11
12
13
14
15
16
17
18
19
20
pixman_image_t *tmpbuf = NULL; struct timeval tv = { 0, 0 }; if (!vd->non_adaptive) { gettimeofday(&tv, NULL); has_dirty = vnc_update_stats(vd, &tv); } /*

[qemu_CVE-2015-5225_1439834213_vnc_refresh_server_surface.diff] vnc_refresh_server_surface_OLD.c #2
* Update server dirty map. */ server_row0 = (uint8_t *)pixman_image_get_data(vd->server); - server_stride = guest_stride = pixman_image_get_stride(vd->server); + server_stride = guest_stride = guest_ll = + pixman_image_get_stride(vd->server); cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, server_stride); if (vd->guest.format != VNC_SERVER_FB_FORMAT) { int width = pixman_image_get_width(vd->server); tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); } else { + int guest_bpp = + PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb)); guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); guest_stride = pixman_image_get_stride(vd->guest.fb); + guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8); } - min_stride = MIN(server_stride, guest_stride); + line_bytes = MIN(server_stride, guest_ll); for (;;) { int x;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5225_before_1mo_1436878300_vnc_refresh_server_surface.c
13
14
15
16
17
18
19
20
21
22
struct timeval tv = { 0, 0 }; if (!vd->non_adaptive) { gettimeofday(&tv, NULL); has_dirty = vnc_update_stats(vd, &tv); } /* * Walk through the guest dirty map. * Check and copy modified bits from guest to server surface.
+ show +
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
* Update server dirty map. */ server_row0 = (uint8_t *)pixman_image_get_data(vd->server); server_stride = guest_stride = pixman_image_get_stride(vd->server); cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, server_stride); if (vd->guest.format != VNC_SERVER_FB_FORMAT) { int width = pixman_image_get_width(vd->server); tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); } else { guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); guest_stride = pixman_image_get_stride(vd->guest.fb); } min_stride = MIN(server_stride, guest_stride); for (;;) { int x;
+ show +
40
41
42
43
44
45
46
47
48
49
uint8_t *guest_ptr, *server_ptr; unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty, height * VNC_DIRTY_BPL(&vd->guest), y * VNC_DIRTY_BPL(&vd->guest)); if (offset == height * VNC_DIRTY_BPL(&vd->guest)) { /* no more dirty bits */ break; } y = offset / VNC_DIRTY_BPL(&vd->guest); x = offset % VNC_DIRTY_BPL(&vd->guest);

[qemu_CVE-2015-5225_1439834213_vnc_refresh_server_surface.diff] vnc_refresh_server_surface_OLD.c #3
if (!test_and_clear_bit(x, vd->guest.dirty[y])) { continue; } - if ((x + 1) * cmp_bytes > min_stride) { - _cmp_bytes = min_stride - x * cmp_bytes; + if ((x + 1) * cmp_bytes > line_bytes) { + _cmp_bytes = line_bytes - x * cmp_bytes; } + assert(_cmp_bytes >= 0); if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { continue; }
.\cloneFuncs\totalClone\Type-1\CVE-2015-5225_before_1mo_1436878300_vnc_refresh_server_surface.c
54
55
56
57
58
59
60
61
62
63
qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y); guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf); } else { guest_ptr = guest_row0 + y * guest_stride; } guest_ptr += x * cmp_bytes; for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT); x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) { int _cmp_bytes = cmp_bytes;
+ show +
64
65
66
67
68
69
70
71
72
if (!test_and_clear_bit(x, vd->guest.dirty[y])) { continue; } if ((x + 1) * cmp_bytes > min_stride) { _cmp_bytes = min_stride - x * cmp_bytes; } if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { continue; }
+ show +
73
74
75
76
77
78
79
80
81
82
memcpy(server_ptr, guest_ptr, _cmp_bytes); if (!vd->non_adaptive) { vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT, y, &tv); } QTAILQ_FOREACH(vs, &vd->clients, next) { set_bit(x, vs->dirty[y]); } has_dirty++; }

[qemu_CVE-2015-5278_1442315819_ne2000_receive.diff] ne2000_receive_OLD.c #1
if (index <= s->stop) avail = s->stop - index; else - avail = 0; + break; len = size; if (len > avail) len = avail;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5278_before_imd_1442315449_ne2000_receive.c
68
69
70
71
72
73
74
75
76
77
if (buf[0] & 0x01) s->rsr |= ENRSR_PHY; p[0] = s->rsr; p[1] = next >> 8; p[2] = total_len; p[3] = total_len >> 8; index += 4; /* write packet data */ while (size > 0) {
+ show +
78
79
80
81
82
83
84
if (index <= s->stop) avail = s->stop - index; else avail = 0; len = size; if (len > avail) len = avail;
+ show +
85
86
87
88
89
90
91
92
93
94
memcpy(s->mem + index, buf, len); buf += len; index += len; if (index == s->stop) index = s->start; size -= len; } s->curpag = next >> 8; /* now we can signal we have received something */
.\cloneFuncs\totalClone\Type-1\CVE-2015-5279_before_1mo_1421679150_ne2000_receive.c
65
66
67
68
69
70
71
72
73
74
if (buf[0] & 0x01) s->rsr |= ENRSR_PHY; p[0] = s->rsr; p[1] = next >> 8; p[2] = total_len; p[3] = total_len >> 8; index += 4; /* write packet data */ while (size > 0) {
+ show +
75
76
77
78
79
80
81
if (index <= s->stop) avail = s->stop - index; else avail = 0; len = size; if (len > avail) len = avail;
+ show +
82
83
84
85
86
87
88
89
90
91
memcpy(s->mem + index, buf, len); buf += len; index += len; if (index == s->stop) index = s->start; size -= len; } s->curpag = next >> 8; /* now we can signal we have received something */

[qemu_CVE-2015-5279_1442315449_ne2000_ioport_write.diff] ne2000_ioport_write_OLD.c #1
offset = addr | (page << 4); switch(offset) { case EN0_STARTPG: - s->start = val << 8; + if (val << 8 <= NE2000_PMEM_END) { + s->start = val << 8; + } break; case EN0_STOPPG: - s->stop = val << 8; + if (val << 8 <= NE2000_PMEM_END) { + s->stop = val << 8; + } break; case EN0_BOUNDARY: - s->boundary = val; + if (val << 8 < NE2000_PMEM_END) { + s->boundary = val; + } break; case EN0_IMR: s->imr = val;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5279_before_1mo_1421679150_ne2000_ioport_write.c
30
31
32
33
34
35
36
37
38
39
} /* signal end of transfer */ s->tsr = ENTSR_PTX; s->isr |= ENISR_TX; s->cmd &= ~E8390_TRANS; ne2000_update_irq(s); } } } else { page = s->cmd >> 6;
+ show +
40
41
42
43
44
45
46
47
48
49
50
51
52
offset = addr | (page << 4); switch(offset) { case EN0_STARTPG: s->start = val << 8; break; case EN0_STOPPG: s->stop = val << 8; break; case EN0_BOUNDARY: s->boundary = val; break; case EN0_IMR: s->imr = val;
+ show +
53
54
55
56
57
58
59
60
61
62
ne2000_update_irq(s); break; case EN0_TPSR: s->tpsr = val; break; case EN0_TCNTLO: s->tcnt = (s->tcnt & 0xff00) | val; break; case EN0_TCNTHI: s->tcnt = (s->tcnt & 0x00ff) | (val << 8);

[qemu_CVE-2015-5279_1442315449_ne2000_receive.diff] ne2000_receive_OLD.c #1
} index = s->curpag << 8; + if (index >= NE2000_PMEM_END) { + index = s->start; + } /* 4 bytes for header */ total_len = size + 4; /* address for next packet (4 bytes for CRC) */
.\cloneFuncs\totalClone\Type-1\CVE-2015-5279_before_1mo_1421679150_ne2000_receive.c
42
43
44
45
46
47
48
49
50
51
} } /* if too small buffer, then expand it */ if (size < MIN_BUF_SIZE) { memcpy(buf1, buf, size); memset(buf1 + size, 0, MIN_BUF_SIZE - size); buf = buf1; size = MIN_BUF_SIZE;
+ show +
52
53
54
55
56
57
} index = s->curpag << 8; /* 4 bytes for header */ total_len = size + 4; /* address for next packet (4 bytes for CRC) */
+ show +
58
59
60
61
62
63
64
65
66
67
next = index + ((total_len + 4 + 255) & ~0xff); if (next >= s->stop) next -= (s->stop - s->start); /* prepare packet header */ p = s->mem + index; s->rsr = ENRSR_RXOK; /* receive status */ /* XXX: check this */ if (buf[0] & 0x01) s->rsr |= ENRSR_PHY; p[0] = s->rsr;

[xen_CVE-2015-5307_1447153388_vmx_vmexit_handler.diff] vmx_vmexit_handler_OLD.c #1
__vmread(EXIT_QUALIFICATION, &exit_qualification); HVMTRACE_1D(TRAP_DEBUG, exit_qualification); write_debugreg(6, exit_qualification | DR_STATUS_RESERVED_ONE); - if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag ) - goto exit_and_crash; - domain_pause_for_debugger(); + if ( !v->domain->debugger_attached ) + hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE); + else + domain_pause_for_debugger(); break; case TRAP_int3: {
.\cloneFuncs\totalClone\Type-1\CVE-2015-5307_before_1mo_1440757025_vmx_vmexit_handler.c
186
187
188
189
190
191
192
193
194
195
perfc_incra(cause_vector, vector); switch ( vector ) { case TRAP_debug: /* * Updates DR6 where debugger can peek (See 3B 23.2.1, * Table 23-1, "Exit Qualification for Debug Exceptions"). */
+ show +
196
197
198
199
200
201
202
203
204
__vmread(EXIT_QUALIFICATION, &exit_qualification); HVMTRACE_1D(TRAP_DEBUG, exit_qualification); write_debugreg(6, exit_qualification | DR_STATUS_RESERVED_ONE); if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag ) goto exit_and_crash; domain_pause_for_debugger(); break; case TRAP_int3: {
+ show +
205
206
207
208
209
210
211
212
213
214
HVMTRACE_1D(TRAP, vector); if ( v->domain->debugger_attached ) { update_guest_eip(); /* Safe: INT3 */ v->arch.gdbsx_vcpu_event = TRAP_int3; domain_pause_for_debugger(); break; } else { int handled = hvm_event_int3(regs->eip);
.\cloneFuncs\totalClone\Type-3\CVE-2015-5307_before_6mo_1430734663_vmx_vmexit_handler.c
150
151
152
153
154
155
156
157
158
159
perfc_incra(cause_vector, vector); switch ( vector ) { case TRAP_debug: /* * Updates DR6 where debugger can peek (See 3B 23.2.1, * Table 23-1, "Exit Qualification for Debug Exceptions"). */
+ show +
160
161
162
163
164
165
166
167
168
__vmread(EXIT_QUALIFICATION, &exit_qualification); HVMTRACE_1D(TRAP_DEBUG, exit_qualification); write_debugreg(6, exit_qualification | DR_STATUS_RESERVED_ONE); if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag ) goto exit_and_crash; domain_pause_for_debugger(); break; case TRAP_int3: {
+ show +
169
170
171
172
173
174
175
176
177
178
HVMTRACE_1D(TRAP, vector); if ( v->domain->debugger_attached ) { update_guest_eip(); /* Safe: INT3 */ v->arch.gdbsx_vcpu_event = TRAP_int3; domain_pause_for_debugger(); break; } else { int handled = hvm_event_int3(regs->eip);

[xen_CVE-2015-5307_1447153388_vmx_vmexit_handler.diff] vmx_vmexit_handler_OLD.c #2
hvm_inject_page_fault(regs->error_code, exit_qualification); break; + case TRAP_alignment_check: + HVMTRACE_1D(TRAP, vector); + __vmread(VM_EXIT_INTR_ERROR_CODE, &ecode); + hvm_inject_hw_exception(vector, ecode); + break; case TRAP_nmi: if ( MASK_EXTR(intr_info, INTR_INFO_INTR_TYPE_MASK) != X86_EVENTTYPE_NMI )
.\cloneFuncs\totalClone\Type-1\CVE-2015-5307_before_1mo_1440757025_vmx_vmexit_handler.c
254
255
256
257
258
259
260
261
262
263
break; if ( hvm_long_mode_enabled(v) ) HVMTRACE_LONG_2D(PF_XEN, regs->error_code, TRC_PAR_LONG(exit_qualification) ); else HVMTRACE_2D(PF_XEN, regs->error_code, exit_qualification ); break; }
+ show +
264
265
266
267
268
hvm_inject_page_fault(regs->error_code, exit_qualification); break; case TRAP_nmi: if ( MASK_EXTR(intr_info, INTR_INFO_INTR_TYPE_MASK) != X86_EVENTTYPE_NMI )
+ show +
269
270
271
272
273
274
275
276
277
278
goto exit_and_crash; HVMTRACE_0D(NMI); /* Already handled above. */ break; case TRAP_machine_check: HVMTRACE_0D(MCE); /* Already handled above. */ break; case TRAP_invalid_op: HVMTRACE_1D(TRAP, vector);
.\cloneFuncs\totalClone\Type-3\CVE-2015-5307_before_6mo_1430734663_vmx_vmexit_handler.c
218
219
220
221
222
223
224
225
226
227
break; if ( hvm_long_mode_enabled(v) ) HVMTRACE_LONG_2D(PF_XEN, regs->error_code, TRC_PAR_LONG(exit_qualification) ); else HVMTRACE_2D(PF_XEN, regs->error_code, exit_qualification ); break; }
+ show +
228
229
230
231
232
hvm_inject_page_fault(regs->error_code, exit_qualification); break; case TRAP_nmi: if ( MASK_EXTR(intr_info, INTR_INFO_INTR_TYPE_MASK) != X86_EVENTTYPE_NMI )
+ show +
233
234
235
236
237
238
239
240
241
242
goto exit_and_crash; HVMTRACE_0D(NMI); /* Already handled above. */ break; case TRAP_machine_check: HVMTRACE_0D(MCE); /* Already handled above. */ break; case TRAP_invalid_op: HVMTRACE_1D(TRAP, vector);

[xen_CVE-2016-2271_1455722288_vmx_vmexit_handler.diff] vmx_vmexit_handler_OLD.c #1
void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; - unsigned int vector = 0; + unsigned int vector = 0, mode; struct vcpu *v = current; __vmread(GUEST_RIP, ®s->rip);
.\cloneFuncs\totalClone\Type-1\CVE-2015-5307_before_1mo_1440757025_vmx_vmexit_handler.c
+ show +
1
2
3
4
5
6
7
void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; unsigned int vector = 0; struct vcpu *v = current; __vmread(GUEST_RIP, &regs->rip);
+ show +
8
9
10
11
12
13
14
15
16
17
__vmread(GUEST_RSP, &regs->rsp); __vmread(GUEST_RFLAGS, &regs->rflags); hvm_invalidate_regs_fields(regs); if ( paging_mode_hap(v->domain) ) { __vmread(GUEST_CR3, &v->arch.hvm_vcpu.hw_cr[3]); if ( vmx_unrestricted_guest(v) || hvm_paging_enabled(v) ) v->arch.hvm_vcpu.guest_cr[3] = v->arch.hvm_vcpu.hw_cr[3];
.\cloneFuncs\totalClone\Type-1\CVE-2016-2271_before_imd_1455542056_vmx_vmexit_handler.c
+ show +
1
2
3
4
5
6
7
void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; unsigned int vector = 0; struct vcpu *v = current; __vmread(GUEST_RIP, &regs->rip);
+ show +
8
9
10
11
12
13
14
15
16
17
__vmread(GUEST_RSP, &regs->rsp); __vmread(GUEST_RFLAGS, &regs->rflags); hvm_invalidate_regs_fields(regs); if ( paging_mode_hap(v->domain) ) { __vmread(GUEST_CR3, &v->arch.hvm_vcpu.hw_cr[3]); if ( vmx_unrestricted_guest(v) || hvm_paging_enabled(v) ) v->arch.hvm_vcpu.guest_cr[3] = v->arch.hvm_vcpu.hw_cr[3];
.\cloneFuncs\totalClone\Type-2\CVE-2015-5307_after_imd_1447344031_vmx_vmexit_handler.c
+ show +
1
2
3
4
5
6
7
void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; unsigned int vector = 0; struct vcpu *v = current; __vmread(GUEST_RIP, &regs->rip);
+ show +
8
9
10
11
12
13
14
15
16
17
__vmread(GUEST_RSP, &regs->rsp); __vmread(GUEST_RFLAGS, &regs->rflags); hvm_invalidate_regs_fields(regs); if ( paging_mode_hap(v->domain) ) { __vmread(GUEST_CR3, &v->arch.hvm_vcpu.hw_cr[3]); if ( vmx_unrestricted_guest(v) || hvm_paging_enabled(v) ) v->arch.hvm_vcpu.guest_cr[3] = v->arch.hvm_vcpu.hw_cr[3];
.\cloneFuncs\totalClone\Type-3\CVE-2015-5307_after_1mo_1449749526_vmx_vmexit_handler.c
+ show +
1
2
3
4
5
6
7
void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; unsigned int vector = 0; struct vcpu *v = current; __vmread(GUEST_RIP, &regs->rip);
+ show +
8
9
10
11
12
13
14
15
16
17
__vmread(GUEST_RSP, &regs->rsp); __vmread(GUEST_RFLAGS, &regs->rflags); hvm_invalidate_regs_fields(regs); if ( paging_mode_hap(v->domain) ) { __vmread(GUEST_CR3, &v->arch.hvm_vcpu.hw_cr[3]); if ( vmx_unrestricted_guest(v) || hvm_paging_enabled(v) ) v->arch.hvm_vcpu.guest_cr[3] = v->arch.hvm_vcpu.hw_cr[3];
.\cloneFuncs\totalClone\Type-3\CVE-2015-5307_before_6mo_1430734663_vmx_vmexit_handler.c
+ show +
1
2
3
4
5
6
7
void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; unsigned int vector = 0; struct vcpu *v = current; __vmread(GUEST_RIP, &regs->rip);
+ show +
8
9
10
11
12
13
14
15
16
17
__vmread(GUEST_RSP, &regs->rsp); __vmread(GUEST_RFLAGS, &regs->rflags); hvm_invalidate_regs_fields(regs); if ( paging_mode_hap(v->domain) ) { __vmread(GUEST_CR3, &v->arch.hvm_vcpu.hw_cr[3]); if ( vmx_unrestricted_guest(v) || hvm_paging_enabled(v) ) v->arch.hvm_vcpu.guest_cr[3] = v->arch.hvm_vcpu.hw_cr[3];
.\cloneFuncs\totalClone\Type-3\CVE-2016-2271_before_1mo_1452594565_vmx_vmexit_handler.c
+ show +
1
2
3
4
5
6
7
void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; unsigned int vector = 0; struct vcpu *v = current; __vmread(GUEST_RIP, &regs->rip);
+ show +
8
9
10
11
12
13
14
15
16
17
__vmread(GUEST_RSP, &regs->rsp); __vmread(GUEST_RFLAGS, &regs->rflags); hvm_invalidate_regs_fields(regs); if ( paging_mode_hap(v->domain) ) { __vmread(GUEST_CR3, &v->arch.hvm_vcpu.hw_cr[3]); if ( vmx_unrestricted_guest(v) || hvm_paging_enabled(v) ) v->arch.hvm_vcpu.guest_cr[3] = v->arch.hvm_vcpu.hw_cr[3];

[linux_CVE-2015-5307_1446570233_handle_exception.diff] handle_exception_OLD.c #1
return handle_rmode_exception(vcpu, ex_no, error_code); switch (ex_no) { + case AC_VECTOR: + kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); + return 1; case DB_VECTOR: dr6 = vmcs_readl(EXIT_QUALIFICATION); if (!(vcpu->guest_debug &
.\cloneFuncs\totalClone\Type-1\CVE-2015-5307_before_1mo_1442586595_handle_exception.c
59
60
61
62
63
64
65
66
67
68
trace_kvm_page_fault(cr2, error_code); if (kvm_event_needs_reinjection(vcpu)) kvm_mmu_unprotect_page_virt(vcpu, cr2); return kvm_mmu_page_fault(vcpu, cr2, error_code, NULL, 0); } ex_no = intr_info & INTR_INFO_VECTOR_MASK; if (vmx->rmode.vm86_active && rmode_exception(vcpu, ex_no))
+ show +
69
70
71
72
73
74
return handle_rmode_exception(vcpu, ex_no, error_code); switch (ex_no) { case DB_VECTOR: dr6 = vmcs_readl(EXIT_QUALIFICATION); if (!(vcpu->guest_debug &
+ show +
75
76
77
78
79
80
81
82
83
84
(KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) { vcpu->arch.dr6 &= ~15; vcpu->arch.dr6 |= dr6 | DR6_RTM; if (!(dr6 & ~DR6_RESERVED)) /* icebp */ skip_emulated_instruction(vcpu); kvm_queue_exception(vcpu, DB_VECTOR); return 1; } kvm_run->debug.arch.dr6 = dr6 | DR6_FIXED_1;

[linux_CVE-2015-5307_1446570233_update_exception_bitmap.diff] update_exception_bitmap_OLD.c #1
u32 eb; eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | - (1u << NM_VECTOR) | (1u << DB_VECTOR); + (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); if ((vcpu->guest_debug & (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
.\cloneFuncs\totalClone\Type-1\CVE-2015-5307_before_1mo_1442586595_update_exception_bitmap.c
1
2
static void update_exception_bitmap(struct kvm_vcpu *vcpu) {
+ show +
3
4
5
6
7
8
9
u32 eb; eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | (1u << NM_VECTOR) | (1u << DB_VECTOR); if ((vcpu->guest_debug & (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
+ show +
10
11
12
13
14
15
16
17
18
19
eb |= 1u << BP_VECTOR; if (to_vmx(vcpu)->rmode.vm86_active) eb = ~0; if (enable_ept) eb &= ~(1u << PF_VECTOR); /* bypass_guest_pf = 0 */ if (vcpu->fpu_active) eb &= ~(1u << NM_VECTOR); /* When we are running a nested L2 guest and L1 specified for it a * certain exception bitmap, we must trap the same exceptions and pass

[linux_CVE-2015-5327_1447321000_x509_decode_time.diff] x509_decode_time_OLD.c #1
if (*p != 'Z') goto unsupported_time; - mon_len = month_lengths[mon]; + if (year < 1970 || + mon < 1 || mon > 12) + goto invalid_time; + + mon_len = month_lengths[mon - 1]; if (mon == 2) { if (year % 4 == 0) { mon_len = 29;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5327_before_imd_1442475771_x509_decode_time.c
29
30
31
32
33
34
35
36
37
38
} else { goto unsupported_time; } mon = DD2bin(p); day = DD2bin(p); hour = DD2bin(p); min = DD2bin(p); sec = DD2bin(p);
+ show +
39
40
41
42
43
44
45
if (*p != 'Z') goto unsupported_time; mon_len = month_lengths[mon]; if (mon == 2) { if (year % 4 == 0) { mon_len = 29;
+ show +
46
47
48
49
50
51
52
53
54
55
if (year % 100 == 0) { year /= 100; if (year % 4 != 0) mon_len = 28; } } } if (year < 1970 || mon < 1 || mon > 12 ||
.\cloneFuncs\totalClone\Type-2\CVE-2015-5327_before_1mo_1438185512_x509_decode_time.c
29
30
31
32
33
34
35
36
37
38
} else { goto unsupported_time; } mon = DD2bin(p); day = DD2bin(p); hour = DD2bin(p); min = DD2bin(p); sec = DD2bin(p);
+ show +
39
40
41
42
43
44
45
if (*p != 'Z') goto unsupported_time; mon_len = month_lengths[mon]; if (mon == 2) { if (year % 4 == 0) { mon_len = 29;
+ show +
46
47
48
49
50
51
52
53
54
55
if (year % 100 == 0) { year /= 100; if (year % 4 != 0) mon_len = 28; } } } if (year < 1970 || mon < 1 || mon > 12 ||

[linux_CVE-2015-5327_1447321000_x509_decode_time.diff] x509_decode_time_OLD.c #2
} } - if (year < 1970 || - mon < 1 || mon > 12 || - day < 1 || day > mon_len || + if (day < 1 || day > mon_len || hour > 23 || min > 59 || sec > 59) goto invalid_time; - + *_t = mktime64(year, mon, day, hour, min, sec); return 0;
.\cloneFuncs\totalClone\Type-1\CVE-2015-5327_before_imd_1442475771_x509_decode_time.c
41
42
43
44
45
46
47
48
49
50
mon_len = month_lengths[mon]; if (mon == 2) { if (year % 4 == 0) { mon_len = 29; if (year % 100 == 0) { year /= 100; if (year % 4 != 0) mon_len = 28; }
+ show +
51
52
53
54
55
56
57
58
59
60
61
62
63
} } if (year < 1970 || mon < 1 || mon > 12 || day < 1 || day > mon_len || hour > 23 || min > 59 || sec > 59) goto invalid_time; *_t = mktime64(year, mon, day, hour, min, sec); return 0;
+ show +
64
65
66
67
68
69
70
71
72
73
unsupported_time: pr_debug("Got unsupported time [tag %02x]: '%*phN'\n", tag, (int)vlen, value); return -EBADMSG; invalid_time: pr_debug("Got invalid time [tag %02x]: '%*phN'\n", tag, (int)vlen, value); return -EBADMSG; }

[qemu_CVE-2015-6815_1441383666_process_tx_desc.diff] process_tx_desc_OLD.c #1
memmove(tp->data, tp->header, tp->hdr_len); tp->size = tp->hdr_len; } - } while (split_size -= bytes); + split_size -= bytes; + } while (bytes && split_size); } else if (!tp->tse && tp->cptse) { // context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentation error\n");
.\cloneFuncs\totalClone\Type-1\CVE-2015-6815_before_1mo_1411474194_process_tx_desc.c
62
63
64
65
66
67
68
69
70
71
bytes = MIN(sizeof(tp->data) - tp->size, bytes); pci_dma_read(d, addr, tp->data + tp->size, bytes); sz = tp->size + bytes; if (sz >= tp->hdr_len && tp->size < tp->hdr_len) { memmove(tp->header, tp->data, tp->hdr_len); } tp->size = sz; addr += bytes; if (sz == msh) { xmit_seg(s);
+ show +
72
73
74
75
76
77
78
memmove(tp->data, tp->header, tp->hdr_len); tp->size = tp->hdr_len; } } while (split_size -= bytes); } else if (!tp->tse && tp->cptse) { // context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentation error\n");
+ show +
79
80
81
82
83
84
85
86
87
88
} else { split_size = MIN(sizeof(tp->data) - tp->size, split_size); pci_dma_read(d, addr, tp->data + tp->size, split_size); tp->size += split_size; } if (!(txd_lower & E1000_TXD_CMD_EOP)) return; if (!(tp->tse && tp->cptse && tp->size < tp->hdr_len)) { xmit_seg(s);
.\cloneFuncs\totalClone\Type-2\CVE-2015-6815_before_6mo_1421679150_process_tx_desc.c
62
63
64
65
66
67
68
69
70
71
bytes = MIN(sizeof(tp->data) - tp->size, bytes); pci_dma_read(d, addr, tp->data + tp->size, bytes); sz = tp->size + bytes; if (sz >= tp->hdr_len && tp->size < tp->hdr_len) { memmove(tp->header, tp->data, tp->hdr_len); } tp->size = sz; addr += bytes; if (sz == msh) { xmit_seg(s);
+ show +
72
73
74
75
76
77
78
memmove(tp->data, tp->header, tp->hdr_len); tp->size = tp->hdr_len; } } while (split_size -= bytes); } else if (!tp->tse && tp->cptse) { // context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentation error\n");
+ show +
79
80
81
82
83
84
85
86
87
88
} else { split_size = MIN(sizeof(tp->data) - tp->size, split_size); pci_dma_read(d, addr, tp->data + tp->size, split_size); tp->size += split_size; } if (!(txd_lower & E1000_TXD_CMD_EOP)) return; if (!(tp->tse && tp->cptse && tp->size < tp->hdr_len)) { xmit_seg(s);

[linux_CVE-2015-6937_1448403201_rds_sendmsg.diff] rds_sendmsg_OLD.c #1
release_sock(sk); } - /* racing with another thread binding seems ok here */ + lock_sock(sk); if (daddr == 0 || rs->rs_bound_addr == 0) { + release_sock(sk); ret = -ENOTCONN; /* XXX not a great errno */ goto out; } + release_sock(sk); if (payload_len > rds_sk_sndbuf(rs)) { ret = -EMSGSIZE;
.\cloneFuncs\totalClone\Type-1\CVE-2015-6937_before_1mo_1441520331_rds_sendmsg.c
25
26
27
28
29
30
31
32
33
34
ret = -EINVAL; goto out; } daddr = usin->sin_addr.s_addr; dport = usin->sin_port; } else { /* We only care about consistency with ->connect() */ lock_sock(sk); daddr = rs->rs_conn_addr; dport = rs->rs_conn_port;
+ show +
35
36
37
38
39
40
41
42
43
44
45
release_sock(sk); } /* racing with another thread binding seems ok here */ if (daddr == 0 || rs->rs_bound_addr == 0) { ret = -ENOTCONN; /* XXX not a great errno */ goto out; } if (payload_len > rds_sk_sndbuf(rs)) { ret = -EMSGSIZE;
+ show +
46
47
48
49
50
51
52
53
54
55
goto out; } /* size of rm including all sgs */ ret = rds_rm_size(msg, payload_len); if (ret < 0) goto out; rm = rds_message_alloc(ret, GFP_KERNEL); if (!rm) {

[linux_CVE-2015-7513_1447887023_kvm_vm_ioctl_set_pit2.diff] kvm_vm_ioctl_set_pit2_OLD.c #1
static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps) { int start = 0; + int i; u32 prev_legacy, cur_legacy; mutex_lock(&kvm->arch.vpit->pit_state.lock); prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY;
.\cloneFuncs\totalClone\Type-1\CVE-2015-7513_before_imd_1449769052_kvm_vm_ioctl_set_pit2.c
+ show +
1
2
3
4
5
6
static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps) { int start = 0; u32 prev_legacy, cur_legacy; mutex_lock(&kvm->arch.vpit->pit_state.lock); prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY;
+ show +
7
8
9
10
11
12
13
14
15
16
cur_legacy = ps->flags & KVM_PIT_FLAGS_HPET_LEGACY; if (!prev_legacy && cur_legacy) start = 1; memcpy(&kvm->arch.vpit->pit_state.channels, &ps->channels, sizeof(kvm->arch.vpit->pit_state.channels)); kvm->arch.vpit->pit_state.flags = ps->flags; kvm_pit_load_count(kvm, 0, kvm->arch.vpit->pit_state.channels[0].count, start); mutex_unlock(&kvm->arch.vpit->pit_state.lock); return 0; }

[xen_CVE-2015-7814_1446122057_relinquish_memory.diff] relinquish_memory_OLD.c #1
{ /* Grab a reference to the page so it won't disappear from under us. */ if ( unlikely(!get_page(page, d)) ) - /* Couldn't get a reference -- someone is freeing this page. */ - BUG(); + /* + * Couldn't get a reference -- someone is freeing this page and + * has already committed to doing so, so no more to do here. + * + * Note that the page must be left on the list, a list_del + * here will clash with the list_del done by the other + * party in the race and corrupt the list head. + */ + continue; if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) put_page(page);
.\cloneFuncs\totalClone\Type-1\CVE-2015-7814_before_1mo_1442918541_relinquish_memory.c
1
2
3
4
5
6
7
8
9
static int relinquish_memory(struct domain *d, struct page_list_head *list) { struct page_info *page, *tmp; int ret = 0; /* Use a recursive lock, as we may enter 'free_domheap_page'. */ spin_lock_recursive(&d->page_alloc_lock); page_list_for_each_safe( page, tmp, list )
+ show +
10
11
12
13
14
15
16
17
{ /* Grab a reference to the page so it won't disappear from under us. */ if ( unlikely(!get_page(page, d)) ) /* Couldn't get a reference -- someone is freeing this page. */ BUG(); if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) put_page(page);
+ show +
18
19
20
21
22
23
24
25
26
27
put_page(page); if ( hypercall_preempt_check() ) { ret = -ERESTART; goto out; } }

[xen_CVE-2015-7835_1446122107_mod_l2_entry.diff] mod_l2_entry_OLD.c #1
} /* Fast path for identical mapping and presence. */ - if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) ) + if ( !l2e_has_changed(ol2e, nl2e, + unlikely(opt_allow_superpage) + ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT + : _PAGE_PRESENT) ) { adjust_guest_l2e(nl2e, d); if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
.\cloneFuncs\totalClone\Type-1\CVE-2015-7835_before_1mo_1443164729_mod_l2_entry.c
19
20
21
22
23
24
25
26
27
28
if ( unlikely(__copy_from_user(&ol2e, pl2e, sizeof(ol2e)) != 0) ) return -EFAULT; if ( l2e_get_flags(nl2e) & _PAGE_PRESENT ) { if ( unlikely(l2e_get_flags(nl2e) & L2_DISALLOW_MASK) ) { MEM_LOG("Bad L2 flags %x", l2e_get_flags(nl2e) & L2_DISALLOW_MASK); return -EINVAL;
+ show +
29
30
31
32
33
34
35
} /* Fast path for identical mapping and presence. */ if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) ) { adjust_guest_l2e(nl2e, d); if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
+ show +
36
37
38
39
40
41
42
43
44
45
return 0; return -EBUSY; } if ( unlikely((rc = get_page_from_l2e(nl2e, pfn, d)) < 0) ) return rc; adjust_guest_l2e(nl2e, d); if ( unlikely(!UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad)) )

[xen_CVE-2015-7970_1446122185_p2m_initialise.diff] p2m_initialise_OLD.c #1
static int p2m_initialise(struct domain *d, struct p2m_domain *p2m) { + unsigned int i; int ret = 0; mm_rwlock_init(&p2m->lock);
.\cloneFuncs\totalClone\Type-1\CVE-2015-7970_before_1mo_1443527611_p2m_initialise.c
+ show +
1
2
3
4
5
static int p2m_initialise(struct domain *d, struct p2m_domain *p2m) { int ret = 0; mm_rwlock_init(&p2m->lock);
+ show +
6
7
8
9
10
11
12
13
14
15
mm_lock_init(&p2m->pod.lock); INIT_LIST_HEAD(&p2m->np2m_list); INIT_PAGE_LIST_HEAD(&p2m->pages); INIT_PAGE_LIST_HEAD(&p2m->pod.super); INIT_PAGE_LIST_HEAD(&p2m->pod.single); p2m->domain = d; p2m->default_access = p2m_access_rwx; p2m->p2m_class = p2m_host;

[xen_CVE-2015-7970_1446122185_p2m_initialise.diff] p2m_initialise_OLD.c #2
p2m->np2m_base = P2M_BASE_EADDR; + for ( i = 0; i < ARRAY_SIZE(p2m->pod.mrp.list); ++i ) + p2m->pod.mrp.list[i] = INVALID_GFN; + if ( hap_enabled(d) && cpu_has_vmx ) ret = ept_p2m_init(p2m); else
.\cloneFuncs\totalClone\Type-1\CVE-2015-7970_before_1mo_1443527611_p2m_initialise.c
6
7
8
9
10
11
12
13
14
15
mm_lock_init(&p2m->pod.lock); INIT_LIST_HEAD(&p2m->np2m_list); INIT_PAGE_LIST_HEAD(&p2m->pages); INIT_PAGE_LIST_HEAD(&p2m->pod.super); INIT_PAGE_LIST_HEAD(&p2m->pod.single); p2m->domain = d; p2m->default_access = p2m_access_rwx; p2m->p2m_class = p2m_host;
+ show +
16
17
18
19
20
p2m->np2m_base = P2M_BASE_EADDR; if ( hap_enabled(d) && cpu_has_vmx ) ret = ept_p2m_init(p2m); else
+ show +
21
22
23
24
p2m_pt_init(p2m); return ret; }

[linux_CVE-2015-8104_1447143279_db_interception.diff] db_interception_OLD.c #1
if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) svm->vmcb->save.rflags &= ~(X86_EFLAGS_TF | X86_EFLAGS_RF); - update_db_bp_intercept(&svm->vcpu); } if (svm->vcpu.guest_debug &
.\cloneFuncs\totalClone\Type-1\CVE-2015-8104_before_1mo_1438245136_db_interception.c
4
5
6
7
8
9
10
11
12
13
if (!(svm->vcpu.guest_debug & (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) && !svm->nmi_singlestep) { kvm_queue_exception(&svm->vcpu, DB_VECTOR); return 1; } if (svm->nmi_singlestep) { svm->nmi_singlestep = false;
+ show +
14
15
16
17
18
19
20
if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) svm->vmcb->save.rflags &= ~(X86_EFLAGS_TF | X86_EFLAGS_RF); update_db_bp_intercept(&svm->vcpu); } if (svm->vcpu.guest_debug &
+ show +
21
22
23
24
25
26
27
28
29
30
(KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) { kvm_run->exit_reason = KVM_EXIT_DEBUG; kvm_run->debug.arch.pc = svm->vmcb->save.cs.base + svm->vmcb->save.rip; kvm_run->debug.arch.exception = DB_VECTOR; return 0; } return 1; }

[linux_CVE-2015-8104_1447143279_init_vmcb.diff] init_vmcb_OLD.c #1
set_exception_intercept(svm, UD_VECTOR); set_exception_intercept(svm, MC_VECTOR); set_exception_intercept(svm, AC_VECTOR); + set_exception_intercept(svm, DB_VECTOR); set_intercept(svm, INTERCEPT_INTR); set_intercept(svm, INTERCEPT_NMI);
.\cloneFuncs\totalClone\Type-1\CVE-2015-8104_before_imd_1446570233_init_vmcb.c
10
11
12
13
14
15
16
17
18
19
set_cr_intercept(svm, INTERCEPT_CR3_READ); set_cr_intercept(svm, INTERCEPT_CR4_READ); set_cr_intercept(svm, INTERCEPT_CR0_WRITE); set_cr_intercept(svm, INTERCEPT_CR3_WRITE); set_cr_intercept(svm, INTERCEPT_CR4_WRITE); set_cr_intercept(svm, INTERCEPT_CR8_WRITE); set_dr_intercepts(svm); set_exception_intercept(svm, PF_VECTOR);
+ show +
20
21
22
23
24
25
set_exception_intercept(svm, UD_VECTOR); set_exception_intercept(svm, MC_VECTOR); set_exception_intercept(svm, AC_VECTOR); set_intercept(svm, INTERCEPT_INTR); set_intercept(svm, INTERCEPT_NMI);
+ show +
26
27
28
29
30
31
32
33
34
35
set_intercept(svm, INTERCEPT_SMI); set_intercept(svm, INTERCEPT_SELECTIVE_CR0); set_intercept(svm, INTERCEPT_RDPMC); set_intercept(svm, INTERCEPT_CPUID); set_intercept(svm, INTERCEPT_INVD); set_intercept(svm, INTERCEPT_HLT); set_intercept(svm, INTERCEPT_INVLPG); set_intercept(svm, INTERCEPT_INVLPGA); set_intercept(svm, INTERCEPT_IOIO_PROT); set_intercept(svm, INTERCEPT_MSR_PROT);

[ffmpeg_CVE-2015-8365_1447595528_smka_decode_frame.diff] smka_decode_frame_OLD.c #1
av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); return AVERROR(EINVAL); } + if (unp_size % (avctx->channels * (bits + 1))) { + av_log(avctx, AV_LOG_ERROR, + "The buffer does not contain an integer number of samples\n"); + return AVERROR(EINVAL); + } /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1));
.\cloneFuncs\totalClone\Type-1\CVE-2015-8365_before_imd_1493426051_smka_decode_frame.c
29
30
31
32
33
34
35
36
37
38
*got_frame_ptr = 0; return 1; } stereo = bitstream_read_bit(&bc); bits = bitstream_read_bit(&bc); if (stereo ^ (avctx->channels != 1)) { av_log(avctx, AV_LOG_ERROR, "channels mismatch\n"); return AVERROR(EINVAL); } if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) {
+ show +
39
40
41
42
43
44
av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); return AVERROR(EINVAL); } /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1));
+ show +
45
46
47
48
49
50
51
52
53
54
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } samples = (int16_t *)frame->data[0]; samples8 = frame->data[0]; // Initialize for(i = 0; i < (1 << (bits + stereo)); i++) { h[i].length = 256;
.\cloneFuncs\totalClone\Type-2\CVE-2015-8365_before_1mo_1436229687_smka_decode_frame.c
29
30
31
32
33
34
35
36
37
38
*got_frame_ptr = 0; return 1; } stereo = get_bits1(&gb); bits = get_bits1(&gb); if (stereo ^ (avctx->channels != 1)) { av_log(avctx, AV_LOG_ERROR, "channels mismatch\n"); return AVERROR(EINVAL); } if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) {
+ show +
39
40
41
42
43
44
av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); return AVERROR(EINVAL); } /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1));
+ show +
45
46
47
48
49
50
51
52
53
54
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } samples = (int16_t *)frame->data[0]; samples8 = frame->data[0]; // Initialize for(i = 0; i < (1 << (bits + stereo)); i++) { h[i].length = 256;
.\cloneFuncs\totalClone\Type-3\CVE-2015-8365_after_1mo_1509556068_smka_decode_frame.c
35
36
37
38
39
40
41
42
43
44
*got_frame_ptr = 0; return 1; } stereo = get_bits1(&gb); bits = get_bits1(&gb); if (stereo ^ (avctx->channels != 1)) { av_log(avctx, AV_LOG_ERROR, "channels mismatch\n"); return AVERROR(EINVAL); } if (bits == (avctx->sample_fmt == AV_SAMPLE_FMT_U8)) {
+ show +
45
46
47
48
49
50
av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); return AVERROR(EINVAL); } /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1));
+ show +
51
52
53
54
55
56
57
58
59
60
if (unp_size % (avctx->channels * (bits + 1))) { av_log(avctx, AV_LOG_ERROR, "The buffer does not contain an integer number of samples\n"); return AVERROR(EINVAL); } if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; samples = (int16_t *)frame->data[0]; samples8 = frame->data[0];

[qemu_CVE-2015-8558_1450081283_ehci_process_itd.diff] ehci_process_itd_OLD.c #1
{ USBDevice *dev; USBEndpoint *ep; - uint32_t i, len, pid, dir, devaddr, endp; + uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; uint32_t pg, off, ptr1, ptr2, max, mult; ehci->periodic_sched_active = PERIODIC_ACTIVE;
.\cloneFuncs\totalClone\Type-1\CVE-2015-8558_before_1mo_1436364609_ehci_process_itd.c
1
2
3
static int ehci_process_itd(EHCIState *ehci, EHCIitd *itd, uint32_t addr)
+ show +
4
5
6
7
8
9
10
{ USBDevice *dev; USBEndpoint *ep; uint32_t i, len, pid, dir, devaddr, endp; uint32_t pg, off, ptr1, ptr2, max, mult; ehci->periodic_sched_active = PERIODIC_ACTIVE;
+ show +
11
12
13
14
15
16
17
18
19
20
dir =(itd->bufptr[1] & ITD_BUFPTR_DIRECTION); devaddr = get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR); endp = get_field(itd->bufptr[0], ITD_BUFPTR_EP); max = get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT); mult = get_field(itd->bufptr[2], ITD_BUFPTR_MULT); for(i = 0; i < 8; i++) { if (itd->transact[i] & ITD_XACT_ACTIVE) { pg = get_field(itd->transact[i], ITD_XACT_PGSEL);
.\cloneFuncs\totalClone\Type-3\CVE-2015-8558_after_6mo_1469638520_ehci_process_itd.c
1
2
3
static int ehci_process_itd(EHCIState *ehci, EHCIitd *itd, uint32_t addr)
+ show +
4
5
6
7
8
9
10
{ USBDevice *dev; USBEndpoint *ep; uint32_t i, len, pid, dir, devaddr, endp; uint32_t pg, off, ptr1, ptr2, max, mult; ehci->periodic_sched_active = PERIODIC_ACTIVE;
+ show +
11
12
13
14
15
16
17
18
19
20
dir =(itd->bufptr[1] & ITD_BUFPTR_DIRECTION); devaddr = get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR); endp = get_field(itd->bufptr[0], ITD_BUFPTR_EP); max = get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT); mult = get_field(itd->bufptr[2], ITD_BUFPTR_MULT); for(i = 0; i < 8; i++) { if (itd->transact[i] & ITD_XACT_ACTIVE) { pg = get_field(itd->transact[i], ITD_XACT_PGSEL);

[libtiff_CVE-2015-8665_1451151123_PickContigCase.diff] PickContigCase_OLD.c #1
case PHOTOMETRIC_RGB: switch (img->bitspersample) { case 8: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >= 4) img->put.contig = putRGBAAcontig8bittile; - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >= 4) { if (BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig8bittile; } - else + else if( img->samplesperpixel >= 3 ) img->put.contig = putRGBcontig8bittile; break; case 16: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBAAcontig16bittile; } - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img) && BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig16bittile; } - else + else if( img->samplesperpixel >=3 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBcontig16bittile;
.\cloneFuncs\totalClone\Type-1\CVE-2015-8665_before_1mo_1447878907_PickContigCase.c
1
2
3
4
5
6
static int PickContigCase(TIFFRGBAImage* img) { img->get = TIFFIsTiled(img->tif) ? gtTileContig : gtStripContig; img->put.contig = NULL; switch (img->photometric) {
+ show +
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
case PHOTOMETRIC_RGB: switch (img->bitspersample) { case 8: if (img->alpha == EXTRASAMPLE_ASSOCALPHA) img->put.contig = putRGBAAcontig8bittile; else if (img->alpha == EXTRASAMPLE_UNASSALPHA) { if (BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig8bittile; } else img->put.contig = putRGBcontig8bittile; break; case 16: if (img->alpha == EXTRASAMPLE_ASSOCALPHA) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBAAcontig16bittile; } else if (img->alpha == EXTRASAMPLE_UNASSALPHA) { if (BuildMapBitdepth16To8(img) && BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig16bittile; } else { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBcontig16bittile;
+ show +
36
37
38
39
40
41
42
43
44
45
} break; } break; case PHOTOMETRIC_SEPARATED: if (buildMap(img)) { if (img->bitspersample == 8) { if (!img->Map) img->put.contig = putRGBcontig8bitCMYKtile; else

[libtiff_CVE-2015-8665_1451151123_PickContigCase.diff] PickContigCase_OLD.c #2
} break; case PHOTOMETRIC_SEPARATED: - if (buildMap(img)) { + if (img->samplesperpixel >=4 && buildMap(img)) { if (img->bitspersample == 8) { if (!img->Map) img->put.contig = putRGBcontig8bitCMYKtile;
.\cloneFuncs\totalClone\Type-1\CVE-2015-8665_before_1mo_1447878907_PickContigCase.c
28
29
30
31
32
33
34
35
36
37
if (BuildMapBitdepth16To8(img) && BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig16bittile; } else { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBcontig16bittile; } break;
+ show +
38
39
40
41
42
43
44
} break; case PHOTOMETRIC_SEPARATED: if (buildMap(img)) { if (img->bitspersample == 8) { if (!img->Map) img->put.contig = putRGBcontig8bitCMYKtile;
+ show +
45
46
47
48
49
50
51
52
53
54
else img->put.contig = putRGBcontig8bitCMYKMaptile; } } break; case PHOTOMETRIC_PALETTE: if (buildMap(img)) { switch (img->bitspersample) { case 8: img->put.contig = put8bitcmaptile;

[libtiff_CVE-2015-8665_1451151123_TIFFRGBAImageBegin.diff] TIFFRGBAImageBegin_OLD.c #1
int colorchannels; uint16 *red_orig, *green_orig, *blue_orig; int n_color; + + if( !TIFFRGBAImageOK(tif, emsg) ) + return 0; /* Initialize to normal values */ img->row_offset = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2015-8665_before_1mo_1447878907_TIFFRGBAImageBegin.c
1
2
3
4
5
6
7
int TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) { uint16* sampleinfo; uint16 extrasamples; uint16 planarconfig; uint16 compress;
+ show +
8
9
10
11
12
13
int colorchannels; uint16 *red_orig, *green_orig, *blue_orig; int n_color; /* Initialize to normal values */ img->row_offset = 0;
+ show +
14
15
16
17
18
19
20
21
22
23
img->col_offset = 0; img->redcmap = NULL; img->greencmap = NULL; img->bluecmap = NULL; img->req_orientation = ORIENTATION_BOTLEFT; /* It is the default */ img->tif = tif; img->stoponerr = stop; TIFFGetFieldDefaulted(tif, TIFFTAG_BITSPERSAMPLE, &img->bitspersample); switch (img->bitspersample) {
.\cloneFuncs\totalClone\Type-2\CVE-2015-8665_before_6mo_1434504847_TIFFRGBAImageBegin.c
1
2
3
4
5
6
7
int TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) { uint16* sampleinfo; uint16 extrasamples; uint16 planarconfig; uint16 compress;
+ show +
8
9
10
11
12
13
int colorchannels; uint16 *red_orig, *green_orig, *blue_orig; int n_color; /* Initialize to normal values */ img->row_offset = 0;
+ show +
14
15
16
17
18
19
20
21
22
23
img->col_offset = 0; img->redcmap = NULL; img->greencmap = NULL; img->bluecmap = NULL; img->req_orientation = ORIENTATION_BOTLEFT; /* It is the default */ img->tif = tif; img->stoponerr = stop; TIFFGetFieldDefaulted(tif, TIFFTAG_BITSPERSAMPLE, &img->bitspersample); switch (img->bitspersample) {

[openssl_CVE-2016-0702_1453761661_BN_mod_exp_mont_consttime.diff] BN_mod_exp_mont_consttime_OLD.c #1
if (window >= 5) { window = 5; /* ~5% improvement for RSA2048 sign, and even * for RSA4096 */ - if ((top & 7) == 0) - powerbufLen += 2 * top * sizeof(m->d[0]); + /* reserve space for mont->N.d[] copy */ + powerbufLen += top * sizeof(mont->N.d[0]); } #endif (void)0;
.\cloneFuncs\totalClone\Type-1\CVE-2016-0702_before_imd_1453750718_BN_mod_exp_mont_consttime.c
85
86
87
88
89
90
91
92
93
94
/* Get the window size to use with size of p. */ window = BN_window_bits_for_ctime_exponent_size(bits); #if defined(SPARC_T4_MONT) if (window >= 5 && (top & 15) == 0 && top <= 64 && (OPENSSL_sparcv9cap_P[1] & (CFR_MONTMUL | CFR_MONTSQR)) == (CFR_MONTMUL | CFR_MONTSQR) && (t4 = OPENSSL_sparcv9cap_P[0])) window = 5; else #endif #if defined(OPENSSL_BN_ASM_MONT5)
+ show +
95
96
97
98
99
100
101
102
if (window >= 5) { window = 5; /* ~5% improvement for RSA2048 sign, and even * for RSA4096 */ if ((top & 7) == 0) powerbufLen += 2 * top * sizeof(m->d[0]); } #endif (void)0;
+ show +
103
104
105
106
107
108
109
110
111
112
/* * Allocate a buffer large enough to hold all of the pre-computed powers * of am, am itself and tmp. */ numPowers = 1 << window; powerbufLen += sizeof(m->d[0]) * (top * numPowers + ((2 * top) > numPowers ? (2 * top) : numPowers)); #ifdef alloca
.\cloneFuncs\totalClone\Type-2\CVE-2016-0702_before_1mo_1450535897_BN_mod_exp_mont_consttime.c
85
86
87
88
89
90
91
92
93
94
/* Get the window size to use with size of p. */ window = BN_window_bits_for_ctime_exponent_size(bits); #if defined(SPARC_T4_MONT) if (window >= 5 && (top & 15) == 0 && top <= 64 && (OPENSSL_sparcv9cap_P[1] & (CFR_MONTMUL | CFR_MONTSQR)) == (CFR_MONTMUL | CFR_MONTSQR) && (t4 = OPENSSL_sparcv9cap_P[0])) window = 5; else #endif #if defined(OPENSSL_BN_ASM_MONT5)
+ show +
95
96
97
98
99
100
101
102
if (window >= 5) { window = 5; /* ~5% improvement for RSA2048 sign, and even * for RSA4096 */ if ((top & 7) == 0) powerbufLen += 2 * top * sizeof(m->d[0]); } #endif (void)0;
+ show +
103
104
105
106
107
108
109
110
111
112
/* * Allocate a buffer large enough to hold all of the pre-computed powers * of am, am itself and tmp. */ numPowers = 1 << window; powerbufLen += sizeof(m->d[0]) * (top * numPowers + ((2 * top) > numPowers ? (2 * top) : numPowers)); #ifdef alloca
.\cloneFuncs\totalClone\Type-3\CVE-2016-0702_before_6mo_1435017346_BN_mod_exp_mont_consttime.c
78
79
80
81
82
83
84
85
86
87
/* Get the window size to use with size of p. */ window = BN_window_bits_for_ctime_exponent_size(bits); #if defined(SPARC_T4_MONT) if (window >= 5 && (top & 15) == 0 && top <= 64 && (OPENSSL_sparcv9cap_P[1] & (CFR_MONTMUL | CFR_MONTSQR)) == (CFR_MONTMUL | CFR_MONTSQR) && (t4 = OPENSSL_sparcv9cap_P[0])) window = 5; else #endif #if defined(OPENSSL_BN_ASM_MONT5)
+ show +
88
89
90
91
92
93
94
95
if (window >= 5) { window = 5; /* ~5% improvement for RSA2048 sign, and even * for RSA4096 */ if ((top & 7) == 0) powerbufLen += 2 * top * sizeof(m->d[0]); } #endif (void)0;
+ show +
96
97
98
99
100
101
102
103
104
105
/* * Allocate a buffer large enough to hold all of the pre-computed powers * of am, am itself and tmp. */ numPowers = 1 << window; powerbufLen += sizeof(m->d[0]) * (top * numPowers + ((2 * top) > numPowers ? (2 * top) : numPowers)); #ifdef alloca

[openssl_CVE-2016-0702_1453761661_BN_mod_exp_mont_consttime.diff] BN_mod_exp_mont_consttime_OLD.c #2
const BN_ULONG *not_used, const BN_ULONG *np, const BN_ULONG *n0, int num); - BN_ULONG *np = mont->N.d, *n0 = mont->n0, *np2; + BN_ULONG *n0 = mont->n0, *np; /* * BN_to_montgomery can contaminate words above .top [in
.\cloneFuncs\totalClone\Type-1\CVE-2016-0702_before_imd_1453750718_BN_mod_exp_mont_consttime.c
306
307
308
309
310
311
312
313
314
315
const void *table, const BN_ULONG *np, const BN_ULONG *n0, int num, int power); void bn_scatter5(const BN_ULONG *inp, size_t num, void *table, size_t power); void bn_gather5(BN_ULONG *out, size_t num, void *table, size_t power); void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const void *table, const BN_ULONG *np, const BN_ULONG *n0, int num, int power); int bn_get_bits5(const BN_ULONG *ap, int off); int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
+ show +
316
317
318
319
320
321
322
const BN_ULONG *not_used, const BN_ULONG *np, const BN_ULONG *n0, int num); BN_ULONG *np = mont->N.d, *n0 = mont->n0, *np2; /* * BN_to_montgomery can contaminate words above .top [in
+ show +
323
324
325
326
327
328
329
330
331
332
* BN_DEBUG[_DEBUG] build]... */ for (i = am.top; i < top; i++) am.d[i] = 0; for (i = tmp.top; i < top; i++) tmp.d[i] = 0; if (top & 7) np2 = np; else
.\cloneFuncs\totalClone\Type-2\CVE-2016-0702_before_1mo_1450535897_BN_mod_exp_mont_consttime.c
306
307
308
309
310
311
312
313
314
315
const void *table, const BN_ULONG *np, const BN_ULONG *n0, int num, int power); void bn_scatter5(const BN_ULONG *inp, size_t num, void *table, size_t power); void bn_gather5(BN_ULONG *out, size_t num, void *table, size_t power); void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const void *table, const BN_ULONG *np, const BN_ULONG *n0, int num, int power); int bn_get_bits5(const BN_ULONG *ap, int off); int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
+ show +
316
317
318
319
320
321
322
const BN_ULONG *not_used, const BN_ULONG *np, const BN_ULONG *n0, int num); BN_ULONG *np = mont->N.d, *n0 = mont->n0, *np2; /* * BN_to_montgomery can contaminate words above .top [in
+ show +
323
324
325
326
327
328
329
330
331
332
* BN_DEBUG[_DEBUG] build]... */ for (i = am.top; i < top; i++) am.d[i] = 0; for (i = tmp.top; i < top; i++) tmp.d[i] = 0; if (top & 7) np2 = np; else
.\cloneFuncs\totalClone\Type-3\CVE-2016-0702_before_6mo_1435017346_BN_mod_exp_mont_consttime.c
299
300
301
302
303
304
305
306
307
308
const void *table, const BN_ULONG *np, const BN_ULONG *n0, int num, int power); void bn_scatter5(const BN_ULONG *inp, size_t num, void *table, size_t power); void bn_gather5(BN_ULONG *out, size_t num, void *table, size_t power); void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const void *table, const BN_ULONG *np, const BN_ULONG *n0, int num, int power); int bn_get_bits5(const BN_ULONG *ap, int off); int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
+ show +
309
310
311
312
313
314
315
const BN_ULONG *not_used, const BN_ULONG *np, const BN_ULONG *n0, int num); BN_ULONG *np = mont->N.d, *n0 = mont->n0, *np2; /* * BN_to_montgomery can contaminate words above .top [in
+ show +
316
317
318
319
320
321
322
323
324
325
* BN_DEBUG[_DEBUG] build]... */ for (i = am.top; i < top; i++) am.d[i] = 0; for (i = tmp.top; i < top; i++) tmp.d[i] = 0; if (top & 7) np2 = np; else

[openssl_CVE-2016-0702_1453761661_BN_mod_exp_mont_consttime.diff] BN_mod_exp_mont_consttime_OLD.c #3
for (i = tmp.top; i < top; i++) tmp.d[i] = 0; - if (top & 7) - np2 = np; - else - for (np2 = am.d + top, i = 0; i < top; i++) - np2[2 * i] = np[i]; + /* + * copy mont->N.d[] to improve cache locality + */ + for (np = am.d + top, i = 0; i < top; i++) + np[i] = mont->N.d[i]; bn_scatter5(tmp.d, top, powerbuf, 0); bn_scatter5(am.d, am.top, powerbuf, 1);
.\cloneFuncs\totalClone\Type-1\CVE-2016-0702_before_imd_1453750718_BN_mod_exp_mont_consttime.c
317
318
319
320
321
322
323
324
325
326
const BN_ULONG *n0, int num); BN_ULONG *np = mont->N.d, *n0 = mont->n0, *np2; /* * BN_to_montgomery can contaminate words above .top [in * BN_DEBUG[_DEBUG] build]... */ for (i = am.top; i < top; i++) am.d[i] = 0;
+ show +
327
328
329
330
331
332
333
334
335
336
337
for (i = tmp.top; i < top; i++) tmp.d[i] = 0; if (top & 7) np2 = np; else for (np2 = am.d + top, i = 0; i < top; i++) np2[2 * i] = np[i]; bn_scatter5(tmp.d, top, powerbuf, 0); bn_scatter5(am.d, am.top, powerbuf, 1);
+ show +
338
339
340
341
342
343
344
345
346
347
bn_mul_mont(tmp.d, am.d, am.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2); # if 0 for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else
.\cloneFuncs\totalClone\Type-2\CVE-2016-0702_before_1mo_1450535897_BN_mod_exp_mont_consttime.c
317
318
319
320
321
322
323
324
325
326
const BN_ULONG *n0, int num); BN_ULONG *np = mont->N.d, *n0 = mont->n0, *np2; /* * BN_to_montgomery can contaminate words above .top [in * BN_DEBUG[_DEBUG] build]... */ for (i = am.top; i < top; i++) am.d[i] = 0;
+ show +
327
328
329
330
331
332
333
334
335
336
337
for (i = tmp.top; i < top; i++) tmp.d[i] = 0; if (top & 7) np2 = np; else for (np2 = am.d + top, i = 0; i < top; i++) np2[2 * i] = np[i]; bn_scatter5(tmp.d, top, powerbuf, 0); bn_scatter5(am.d, am.top, powerbuf, 1);
+ show +
338
339
340
341
342
343
344
345
346
347
bn_mul_mont(tmp.d, am.d, am.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2); # if 0 for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else
.\cloneFuncs\totalClone\Type-3\CVE-2016-0702_before_6mo_1435017346_BN_mod_exp_mont_consttime.c
310
311
312
313
314
315
316
317
318
319
const BN_ULONG *n0, int num); BN_ULONG *np = mont->N.d, *n0 = mont->n0, *np2; /* * BN_to_montgomery can contaminate words above .top [in * BN_DEBUG[_DEBUG] build]... */ for (i = am.top; i < top; i++) am.d[i] = 0;
+ show +
320
321
322
323
324
325
326
327
328
329
330
for (i = tmp.top; i < top; i++) tmp.d[i] = 0; if (top & 7) np2 = np; else for (np2 = am.d + top, i = 0; i < top; i++) np2[2 * i] = np[i]; bn_scatter5(tmp.d, top, powerbuf, 0); bn_scatter5(am.d, am.top, powerbuf, 1);
+ show +
331
332
333
334
335
336
337
338
339
340
bn_mul_mont(tmp.d, am.d, am.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2); # if 0 for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else

[openssl_CVE-2016-0702_1453761661_BN_mod_exp_mont_consttime.diff] BN_mod_exp_mont_consttime_OLD.c #4
# if 0 for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ - bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); + bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else
.\cloneFuncs\totalClone\Type-1\CVE-2016-0702_before_imd_1453750718_BN_mod_exp_mont_consttime.c
331
332
333
334
335
336
337
338
339
340
np2 = np; else for (np2 = am.d + top, i = 0; i < top; i++) np2[2 * i] = np[i]; bn_scatter5(tmp.d, top, powerbuf, 0); bn_scatter5(am.d, am.top, powerbuf, 1); bn_mul_mont(tmp.d, am.d, am.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2);
+ show +
341
342
343
344
345
346
347
# if 0 for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else
+ show +
348
349
350
351
352
353
354
355
356
357
/* same as above, but uses squaring for 1/2 of operations */ for (i = 4; i < 32; i *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i); } for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) {
.\cloneFuncs\totalClone\Type-2\CVE-2016-0702_before_1mo_1450535897_BN_mod_exp_mont_consttime.c
331
332
333
334
335
336
337
338
339
340
np2 = np; else for (np2 = am.d + top, i = 0; i < top; i++) np2[2 * i] = np[i]; bn_scatter5(tmp.d, top, powerbuf, 0); bn_scatter5(am.d, am.top, powerbuf, 1); bn_mul_mont(tmp.d, am.d, am.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2);
+ show +
341
342
343
344
345
346
347
# if 0 for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else
+ show +
348
349
350
351
352
353
354
355
356
357
/* same as above, but uses squaring for 1/2 of operations */ for (i = 4; i < 32; i *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i); } for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-0702_before_6mo_1435017346_BN_mod_exp_mont_consttime.c
324
325
326
327
328
329
330
331
332
333
np2 = np; else for (np2 = am.d + top, i = 0; i < top; i++) np2[2 * i] = np[i]; bn_scatter5(tmp.d, top, powerbuf, 0); bn_scatter5(am.d, am.top, powerbuf, 1); bn_mul_mont(tmp.d, am.d, am.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2);
+ show +
334
335
336
337
338
339
340
# if 0 for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else
+ show +
341
342
343
344
345
346
347
348
349
350
/* same as above, but uses squaring for 1/2 of operations */ for (i = 4; i < 32; i *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i); } for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) {

[openssl_CVE-2016-0702_1453761661_BN_mod_exp_mont_consttime.diff] BN_mod_exp_mont_consttime_OLD.c #5
} for (i = 3; i < 8; i += 2) { int j; - bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); + bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
.\cloneFuncs\totalClone\Type-1\CVE-2016-0702_before_imd_1453750718_BN_mod_exp_mont_consttime.c
342
343
344
345
346
347
348
349
350
351
for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else /* same as above, but uses squaring for 1/2 of operations */ for (i = 4; i < 32; i *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i);
+ show +
352
353
354
355
356
357
358
} for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ show +
359
360
361
362
363
364
365
366
367
368
bn_scatter5(tmp.d, top, powerbuf, j); } } for (; i < 16; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2 * i); } for (; i < 32; i += 2) {
.\cloneFuncs\totalClone\Type-2\CVE-2016-0702_before_1mo_1450535897_BN_mod_exp_mont_consttime.c
342
343
344
345
346
347
348
349
350
351
for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else /* same as above, but uses squaring for 1/2 of operations */ for (i = 4; i < 32; i *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i);
+ show +
352
353
354
355
356
357
358
} for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ show +
359
360
361
362
363
364
365
366
367
368
bn_scatter5(tmp.d, top, powerbuf, j); } } for (; i < 16; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2 * i); } for (; i < 32; i += 2) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-0702_before_6mo_1435017346_BN_mod_exp_mont_consttime.c
335
336
337
338
339
340
341
342
343
344
for (i = 3; i < 32; i++) { /* Calculate a^i = a^(i-1) * a */ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # else /* same as above, but uses squaring for 1/2 of operations */ for (i = 4; i < 32; i *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i);
+ show +
345
346
347
348
349
350
351
} for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ show +
352
353
354
355
356
357
358
359
360
361
bn_scatter5(tmp.d, top, powerbuf, j); } } for (; i < 16; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2 * i); } for (; i < 32; i += 2) {

[openssl_CVE-2016-0702_1453761661_BN_mod_exp_mont_consttime.diff] BN_mod_exp_mont_consttime_OLD.c #6
} } for (; i < 16; i += 2) { - bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); + bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2 * i); } for (; i < 32; i += 2) { - bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); + bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # endif
.\cloneFuncs\totalClone\Type-1\CVE-2016-0702_before_imd_1453750718_BN_mod_exp_mont_consttime.c
350
351
352
353
354
355
356
357
358
359
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i); } for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, j);
+ show +
360
361
362
363
364
365
366
367
368
369
370
371
372
} } for (; i < 16; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2 * i); } for (; i < 32; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # endif
+ show +
373
374
375
376
377
378
379
380
381
382
bits--; for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); bn_gather5(tmp.d, top, powerbuf, wvalue); /* * Scan the exponent one window at a time starting from the most * significant bits. */ if (top & 7)
.\cloneFuncs\totalClone\Type-2\CVE-2016-0702_before_1mo_1450535897_BN_mod_exp_mont_consttime.c
350
351
352
353
354
355
356
357
358
359
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i); } for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, j);
+ show +
360
361
362
363
364
365
366
367
368
369
370
371
372
} } for (; i < 16; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2 * i); } for (; i < 32; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # endif
+ show +
373
374
375
376
377
378
379
380
381
382
bits--; for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); bn_gather5(tmp.d, top, powerbuf, wvalue); /* * Scan the exponent one window at a time starting from the most * significant bits. */ if (top & 7)
.\cloneFuncs\totalClone\Type-3\CVE-2016-0702_before_6mo_1435017346_BN_mod_exp_mont_consttime.c
343
344
345
346
347
348
349
350
351
352
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i); } for (i = 3; i < 8; i += 2) { int j; bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); for (j = 2 * i; j < 32; j *= 2) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, j);
+ show +
353
354
355
356
357
358
359
360
361
362
363
364
365
} } for (; i < 16; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, 2 * i); } for (; i < 32; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); } # endif
+ show +
366
367
368
369
370
371
372
373
374
375
bits--; for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); bn_gather5(tmp.d, top, powerbuf, wvalue); /* * Scan the exponent one window at a time starting from the most * significant bits. */ if (top & 7)

[openssl_CVE-2016-0702_1453761661_BN_mod_exp_mont_consttime.diff] BN_mod_exp_mont_consttime_OLD.c #7
while (bits >= 0) { wvalue = bn_get_bits5(p->d, bits - 4); bits -= 5; - bn_power5(tmp.d, tmp.d, powerbuf, np2, n0, top, wvalue); + bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue); } } - ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np2, n0, top); + ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np, n0, top); tmp.top = top; bn_correct_top(&tmp); if (ret) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-0702_before_imd_1453750718_BN_mod_exp_mont_consttime.c
385
386
387
388
389
390
391
392
393
394
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont_gather5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue); } else {
+ show +
395
396
397
398
399
400
401
402
403
404
405
while (bits >= 0) { wvalue = bn_get_bits5(p->d, bits - 4); bits -= 5; bn_power5(tmp.d, tmp.d, powerbuf, np2, n0, top, wvalue); } } ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np2, n0, top); tmp.top = top; bn_correct_top(&tmp); if (ret) {
+ show +
406
407
408
409
410
411
412
413
414
415
if (!BN_copy(rr, &tmp)) ret = 0; goto err; /* non-zero ret means it's not error */ } } else #endif { if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window))
.\cloneFuncs\totalClone\Type-2\CVE-2016-0702_before_1mo_1450535897_BN_mod_exp_mont_consttime.c
385
386
387
388
389
390
391
392
393
394
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont_gather5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue); } else {
+ show +
395
396
397
398
399
400
401
402
403
404
405
while (bits >= 0) { wvalue = bn_get_bits5(p->d, bits - 4); bits -= 5; bn_power5(tmp.d, tmp.d, powerbuf, np2, n0, top, wvalue); } } ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np2, n0, top); tmp.top = top; bn_correct_top(&tmp); if (ret) {
+ show +
406
407
408
409
410
411
412
413
414
415
if (!BN_copy(rr, &tmp)) ret = 0; goto err; /* non-zero ret means it's not error */ } } else #endif { if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers))
.\cloneFuncs\totalClone\Type-3\CVE-2016-0702_before_6mo_1435017346_BN_mod_exp_mont_consttime.c
378
379
380
381
382
383
384
385
386
387
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont_gather5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue); } else {
+ show +
388
389
390
391
392
393
394
395
396
397
398
while (bits >= 0) { wvalue = bn_get_bits5(p->d, bits - 4); bits -= 5; bn_power5(tmp.d, tmp.d, powerbuf, np2, n0, top, wvalue); } } ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np2, n0, top); tmp.top = top; bn_correct_top(&tmp); if (ret) {
+ show +
399
400
401
402
403
404
405
406
407
408
if (!BN_copy(rr, &tmp)) ret = 0; goto err; /* non-zero ret means it's not error */ } } else #endif { if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers))

[linux_CVE-2016-0728_1453241344_join_session_keyring.diff] join_session_keyring_OLD.c #1
ret = PTR_ERR(keyring); goto error2; } else if (keyring == new->session_keyring) { + key_put(keyring); ret = 0; goto error2; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-0728_before_1mo_1441406565_join_session_keyring.c
32
33
34
35
36
37
38
39
40
41
/* not found - try and create a new one */ keyring = keyring_alloc( name, old->uid, old->gid, old, KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK, KEY_ALLOC_IN_QUOTA, NULL); if (IS_ERR(keyring)) { ret = PTR_ERR(keyring); goto error2; } } else if (IS_ERR(keyring)) {
+ show +
42
43
44
45
46
47
ret = PTR_ERR(keyring); goto error2; } else if (keyring == new->session_keyring) { ret = 0; goto error2; }
+ show +
48
49
50
51
52
53
54
55
56
57
/* we've got a keyring - now to install it */ ret = install_session_keyring_to_cred(new, keyring); if (ret < 0) goto error2; commit_creds(new); mutex_unlock(&key_session_mutex); ret = keyring->serial;

[openssl_CVE-2016-0797_1456136838_BN_dec2bn.diff] BN_dec2bn_OLD.c #1
a++; } - for (i = 0; isdigit((unsigned char)a[i]); i++) ; + for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++) + continue; + + if (i > INT_MAX/4) + goto err; num = i + neg; if (bn == NULL)
.\cloneFuncs\totalClone\Type-1\CVE-2016-0797_before_1mo_1432040387_BN_dec2bn.c
2
3
4
5
6
7
8
9
10
11
{ BIGNUM *ret = NULL; BN_ULONG l = 0; int neg = 0, i, j; int num; if ((a == NULL) || (*a == '\0')) return (0); if (*a == '-') { neg = 1;
+ show +
12
13
14
15
16
17
18
a++; } for (i = 0; isdigit((unsigned char)a[i]); i++) ; num = i + neg; if (bn == NULL)
+ show +
19
20
21
22
23
24
25
26
27
28
return (num); /* * a is the start of the digits, and it is 'i' long. We chop it into * BN_DEC_NUM digits at a time */ if (*bn == NULL) { if ((ret = BN_new()) == NULL) return (0); } else {

[openssl_CVE-2016-0797_1456136838_BN_dec2bn.diff] BN_dec2bn_OLD.c #2
BN_zero(ret); } - /* i is the number of digests, a bit of an over expand; */ + /* i is the number of digits, a bit of an over expand */ if (bn_expand(ret, i * 4) == NULL) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2016-0797_before_1mo_1432040387_BN_dec2bn.c
20
21
22
23
24
25
26
27
28
29
/* * a is the start of the digits, and it is 'i' long. We chop it into * BN_DEC_NUM digits at a time */ if (*bn == NULL) { if ((ret = BN_new()) == NULL) return (0); } else { ret = *bn;
+ show +
30
31
32
33
34
35
BN_zero(ret); } /* i is the number of digests, a bit of an over expand; */ if (bn_expand(ret, i * 4) == NULL) goto err;
+ show +
36
37
38
39
40
41
42
43
44
45
j = BN_DEC_NUM - (i % BN_DEC_NUM); if (j == BN_DEC_NUM) j = 0; l = 0; while (*a) { l *= 10; l += *a - '0'; a++; if (++j == BN_DEC_NUM) {

[openssl_CVE-2016-0797_1456136838_BN_hex2bn.diff] BN_hex2bn_OLD.c #1
a++; } - for (i = 0; isxdigit((unsigned char)a[i]); i++) ; + for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++) + continue; + + if (i > INT_MAX/4) + goto err; num = i + neg; if (bn == NULL)
.\cloneFuncs\totalClone\Type-1\CVE-2016-0797_before_1mo_1432040387_BN_hex2bn.c
3
4
5
6
7
8
9
10
11
12
BIGNUM *ret = NULL; BN_ULONG l = 0; int neg = 0, h, m, i, j, k, c; int num; if ((a == NULL) || (*a == '\0')) return (0); if (*a == '-') { neg = 1;
+ show +
13
14
15
16
17
18
19
a++; } for (i = 0; isxdigit((unsigned char)a[i]); i++) ; num = i + neg; if (bn == NULL)
+ show +
20
21
22
23
24
25
26
27
28
29
return (num); /* a is the start of the hex digits, and it is 'i' long */ if (*bn == NULL) { if ((ret = BN_new()) == NULL) return (0); } else { ret = *bn; BN_zero(ret); }

[openssl_CVE-2016-0797_1456136838_BN_hex2bn.diff] BN_hex2bn_OLD.c #2
BN_zero(ret); } - /* i is the number of hex digests; */ + /* i is the number of hex digits */ if (bn_expand(ret, i * 4) == NULL) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2016-0797_before_1mo_1432040387_BN_hex2bn.c
18
19
20
21
22
23
24
25
26
27
num = i + neg; if (bn == NULL) return (num); /* a is the start of the hex digits, and it is 'i' long */ if (*bn == NULL) { if ((ret = BN_new()) == NULL) return (0); } else { ret = *bn;
+ show +
28
29
30
31
32
33
BN_zero(ret); } /* i is the number of hex digests; */ if (bn_expand(ret, i * 4) == NULL) goto err;
+ show +
34
35
36
37
38
39
40
41
42
43
j = i; /* least significant 'hex' */ m = 0; h = 0; while (j > 0) { m = ((BN_BYTES * 2) <= j) ? (BN_BYTES * 2) : j; l = 0; for (;;) { c = a[j - m]; if ((c >= '0') && (c <= '9'))

[openssl_CVE-2016-0799_1456405786_BIO_vsnprintf.diff] BIO_vsnprintf_OLD.c #1
size_t retlen; int truncated; - _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); + if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args)) + return -1; if (truncated) /*
.\cloneFuncs\totalClone\Type-1\CVE-2016-0799_before_1mo_1450324967_BIO_vsnprintf.c
1
2
int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) {
+ show +
3
4
5
6
7
8
9
size_t retlen; int truncated; _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); if (truncated) /*
+ show +
10
11
12
13
14
15
16
17
18
* In case of truncation, return -1 like traditional snprintf. * (Current drafts for ISO/IEC 9899 say snprintf should return the * number of characters that would have been written, had the buffer * been large enough.) */ return -1; else return (retlen <= INT_MAX) ? (int)retlen : -1; }

[openssl_CVE-2016-0799_1456405786_doapr_outch.diff] doapr_outch_OLD.c #1
-static void +static int doapr_outch(char **sbuffer, char **buffer, size_t *currlen, size_t *maxlen, int c) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-0799_before_1mo_1450324967_doapr_outch.c
+ show +
1
2
3
4
static void doapr_outch(char **sbuffer, char **buffer, size_t *currlen, size_t *maxlen, int c) {
+ show +
5
6
7
8
9
10
11
12
13
14
/* If we haven't at least one buffer, someone has doe a big booboo */ assert(*sbuffer != NULL || buffer != NULL); /* |currlen| must always be <= |*maxlen| */ assert(*currlen <= *maxlen); if (buffer && *currlen == *maxlen) { *maxlen += 1024; if (*buffer == NULL) { *buffer = OPENSSL_malloc(*maxlen);
.\cloneFuncs\totalClone\Type-2\CVE-2016-0799_before_6mo_1431615408_doapr_outch.c
+ show +
1
2
3
4
static void doapr_outch(char **sbuffer, char **buffer, size_t *currlen, size_t *maxlen, int c) {
+ show +
5
6
7
8
9
10
11
12
13
14
/* If we haven't at least one buffer, someone has doe a big booboo */ assert(*sbuffer != NULL || buffer != NULL); /* |currlen| must always be <= |*maxlen| */ assert(*currlen <= *maxlen); if (buffer && *currlen == *maxlen) { *maxlen += 1024; if (*buffer == NULL) { *buffer = OPENSSL_malloc(*maxlen);

[openssl_CVE-2016-0799_1456405786_fmtfp.diff] fmtfp_OLD.c #1
-static void +static int fmtfp(char **sbuffer, char **buffer, size_t *currlen,
.\cloneFuncs\totalClone\Type-1\CVE-2016-0799_before_1mo_1450324967_fmtfp.c
+ show +
1
2
3
4
static void fmtfp(char **sbuffer, char **buffer, size_t *currlen,
+ show +
5
6
7
8
9
10
11
12
13
14
size_t *maxlen, LDOUBLE fvalue, int min, int max, int flags) { int signvalue = 0; LDOUBLE ufvalue; char iconvert[20]; char fconvert[20]; int iplace = 0; int fplace = 0; int padlen = 0; int zpadlen = 0;

[openssl_CVE-2016-0799_1456405786_fmtint.diff] fmtint_OLD.c #1
-static void +static int fmtint(char **sbuffer, char **buffer, size_t *currlen,
.\cloneFuncs\totalClone\Type-1\CVE-2016-0799_before_1mo_1450324967_fmtint.c
+ show +
1
2
3
4
static void fmtint(char **sbuffer, char **buffer, size_t *currlen,
+ show +
5
6
7
8
9
10
11
12
13
14
size_t *maxlen, LLONG value, int base, int min, int max, int flags) { int signvalue = 0; const char *prefix = ""; unsigned LLONG uvalue; char convert[DECIMAL_SIZE(value) + 3]; int place = 0; int spadlen = 0; int zpadlen = 0; int caps = 0;

[libtiff_CVE-2016-10095_1496321044_TIFFReadDirectory.diff] TIFFReadDirectory_OLD.c #1
goto bad; dp->tdir_tag=IGNORE; break; + default: + if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) + dp->tdir_tag=IGNORE; + break; } } }
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_before_imd_1493307982_TIFFReadDirectory.c
159
160
161
162
163
164
165
166
167
168
case TIFFTAG_IMAGEWIDTH: case TIFFTAG_IMAGELENGTH: case TIFFTAG_IMAGEDEPTH: case TIFFTAG_TILELENGTH: case TIFFTAG_TILEWIDTH: case TIFFTAG_TILEDEPTH: case TIFFTAG_PLANARCONFIG: case TIFFTAG_ROWSPERSTRIP: case TIFFTAG_EXTRASAMPLES: if (!TIFFFetchNormalTag(tif,dp,0))
+ show +
169
170
171
172
173
174
goto bad; dp->tdir_tag=IGNORE; break; } } }
+ show +
175
176
177
178
179
180
181
182
183
184
} /* * XXX: OJPEG hack. * If a) compression is OJPEG, b) planarconfig tag says it's separate, * c) strip offsets/bytecounts tag are both present and * d) both contain exactly one value, then we consistently find * that the buggy implementation of the buggy compression scheme * matches contig planarconfig best. So we 'fix-up' the tag here */ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_before_1mo_1484150942_TIFFReadDirectory.c
159
160
161
162
163
164
165
166
167
168
case TIFFTAG_IMAGEWIDTH: case TIFFTAG_IMAGELENGTH: case TIFFTAG_IMAGEDEPTH: case TIFFTAG_TILELENGTH: case TIFFTAG_TILEWIDTH: case TIFFTAG_TILEDEPTH: case TIFFTAG_PLANARCONFIG: case TIFFTAG_ROWSPERSTRIP: case TIFFTAG_EXTRASAMPLES: if (!TIFFFetchNormalTag(tif,dp,0))
+ show +
169
170
171
172
173
174
goto bad; dp->tdir_tag=IGNORE; break; } } }
+ show +
175
176
177
178
179
180
181
182
183
184
} /* * XXX: OJPEG hack. * If a) compression is OJPEG, b) planarconfig tag says it's separate, * c) strip offsets/bytecounts tag are both present and * d) both contain exactly one value, then we consistently find * that the buggy implementation of the buggy compression scheme * matches contig planarconfig best. So we 'fix-up' the tag here */ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&

[xen_CVE-2016-1570_1453294163_get_superpage.diff] get_superpage_OLD.c #1
ASSERT(opt_allow_superpage); + if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) ) + return -EINVAL; + spage = mfn_to_spage(mfn); y = spage->type_info; do {
.\cloneFuncs\totalClone\Type-1\CVE-2016-1570_before_1mo_1450701613_get_superpage.c
1
2
3
4
5
6
int get_superpage(unsigned long mfn, struct domain *d) { struct spage_info *spage; unsigned long x, nx, y; int pages_done = 0;
+ show +
7
8
9
10
11
ASSERT(opt_allow_superpage); spage = mfn_to_spage(mfn); y = spage->type_info; do {
+ show +
12
13
14
15
16
17
18
19
20
21
x = y; nx = x + 1; if ( (x & SGT_type_mask) != SGT_none ) { if ( pages_done ) { put_spage_pages(spage_to_page(spage)); pages_done = 0; } }

[qemu_CVE-2021-20257_1634832647_start_xmit.diff] start_xmit_OLD.c #1
return; } + if (s->tx.busy) { + return; + } + s->tx.busy = true; + while (s->mac_reg[TDH] != s->mac_reg[TDT]) { base = tx_desc_base(s) + sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
.\cloneFuncs\totalClone\Type-1\CVE-2016-1981_after_1mo_1458200278_start_xmit.c
1
2
3
4
5
6
7
8
9
10
static void start_xmit(E1000State *s) { PCIDevice *d = PCI_DEVICE(s); dma_addr_t base; struct e1000_tx_desc desc; uint32_t tdh_start = s->mac_reg[TDH], cause = E1000_ICS_TXQE; if (!(s->mac_reg[TCTL] & E1000_TCTL_EN)) { DBGOUT(TX, "tx disabled\n");
+ show +
11
12
13
14
15
16
return; } while (s->mac_reg[TDH] != s->mac_reg[TDT]) { base = tx_desc_base(s) + sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
+ show +
17
18
19
20
21
22
23
24
25
26
pci_dma_read(d, base, &desc, sizeof(desc)); DBGOUT(TX, "index %d: %p : %x %x\n", s->mac_reg[TDH], (void *)(intptr_t)desc.buffer_addr, desc.lower.data, desc.upper.data); process_tx_desc(s, &desc); cause |= txdesc_writeback(s, base, &desc); if (++s->mac_reg[TDH] * sizeof(desc) >= s->mac_reg[TDLEN])
.\cloneFuncs\totalClone\Type-1\CVE-2016-1981_before_1mo_1449497911_start_xmit.c
1
2
3
4
5
6
7
8
9
10
static void start_xmit(E1000State *s) { PCIDevice *d = PCI_DEVICE(s); dma_addr_t base; struct e1000_tx_desc desc; uint32_t tdh_start = s->mac_reg[TDH], cause = E1000_ICS_TXQE; if (!(s->mac_reg[TCTL] & E1000_TCTL_EN)) { DBGOUT(TX, "tx disabled\n");
+ show +
11
12
13
14
15
16
return; } while (s->mac_reg[TDH] != s->mac_reg[TDT]) { base = tx_desc_base(s) + sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
+ show +
17
18
19
20
21
22
23
24
25
26
pci_dma_read(d, base, &desc, sizeof(desc)); DBGOUT(TX, "index %d: %p : %x %x\n", s->mac_reg[TDH], (void *)(intptr_t)desc.buffer_addr, desc.lower.data, desc.upper.data); process_tx_desc(s, &desc); cause |= txdesc_writeback(s, base, &desc); if (++s->mac_reg[TDH] * sizeof(desc) >= s->mac_reg[TDLEN])

[qemu_CVE-2016-1981_1453209440_e1000_receive_iov.diff] e1000_receive_iov_OLD.c #1
if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) s->mac_reg[RDH] = 0; /* see comment in start_xmit; same here */ - if (s->mac_reg[RDH] == rdh_start) { + if (s->mac_reg[RDH] == rdh_start || + rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); set_ics(s, 0, E1000_ICS_RXO);
.\cloneFuncs\totalClone\Type-1\CVE-2016-1981_before_1mo_1449497911_e1000_receive_iov.c
116
117
118
119
120
121
122
123
124
125
} else { /* Guest zeroing out status is not a hardware requirement. Clear EOP in case guest didn't do it. */ desc.status &= ~E1000_RXD_STAT_EOP; } } else { // as per intel docs; skip descriptors with null buf addr DBGOUT(RX, "Null RX descriptor!!\n"); } pci_dma_write(d, base, &desc, sizeof(desc));
+ show +
126
127
128
129
130
131
132
if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) s->mac_reg[RDH] = 0; /* see comment in start_xmit; same here */ if (s->mac_reg[RDH] == rdh_start) { DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); set_ics(s, 0, E1000_ICS_RXO);
+ show +
133
134
135
136
137
138
139
140
141
142
return -1; } } while (desc_offset < total_size); increase_size_stats(s, PRCregs, total_size); inc_reg_if_not_full(s, TPR); s->mac_reg[GPRC] = s->mac_reg[TPR]; /* TOR - Total Octets Received: * This register includes bytes received in a packet from the <Destination * Address> field through the <CRC> field, inclusively.
.\cloneFuncs\totalClone\Type-3\CVE-2016-1981_before_6mo_1435223885_e1000_receive_iov.c
112
113
114
115
116
117
118
119
120
121
} else { /* Guest zeroing out status is not a hardware requirement. Clear EOP in case guest didn't do it. */ desc.status &= ~E1000_RXD_STAT_EOP; } } else { // as per intel docs; skip descriptors with null buf addr DBGOUT(RX, "Null RX descriptor!!\n"); } pci_dma_write(d, base, &desc, sizeof(desc));
+ show +
122
123
124
125
126
127
128
if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) s->mac_reg[RDH] = 0; /* see comment in start_xmit; same here */ if (s->mac_reg[RDH] == rdh_start) { DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); set_ics(s, 0, E1000_ICS_RXO);
+ show +
129
130
131
132
133
134
135
136
137
138
return -1; } } while (desc_offset < total_size); s->mac_reg[GPRC]++; s->mac_reg[TPR]++; /* TOR - Total Octets Received: * This register includes bytes received in a packet from the <Destination * Address> field through the <CRC> field, inclusively. */

[linux_CVE-2016-2085_1455235124_evm_verify_hmac.diff] evm_verify_hmac_OLD.c #1
xattr_value_len, calc.digest); if (rc) break; - rc = memcmp(xattr_data->digest, calc.digest, + rc = crypto_memneq(xattr_data->digest, calc.digest, sizeof(calc.digest)); if (rc) rc = -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2016-2085_before_1mo_1445538386_evm_verify_hmac.c
30
31
32
33
34
35
36
37
38
39
} goto out; } xattr_len = rc; /* check value type */ switch (xattr_data->type) { case EVM_XATTR_HMAC: rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
+ show +
40
41
42
43
44
45
46
xattr_value_len, calc.digest); if (rc) break; rc = memcmp(xattr_data->digest, calc.digest, sizeof(calc.digest)); if (rc) rc = -EINVAL;
+ show +
47
48
49
50
51
52
53
54
55
56
break; case EVM_IMA_XATTR_DIGSIG: rc = evm_calc_hash(dentry, xattr_name, xattr_value, xattr_value_len, calc.digest); if (rc) break; rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, (const char *)xattr_data, xattr_len, calc.digest, sizeof(calc.digest)); if (!rc) {

[openssl_CVE-2016-2105_1457086637_EVP_EncodeUpdate.diff] EVP_EncodeUpdate_OLD.c #1
if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); - if ((ctx->num + inl) < ctx->length) { + if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return;
.\cloneFuncs\totalClone\Type-1\CVE-2016-2105_before_1mo_1450461443_EVP_EncodeUpdate.c
1
2
3
4
5
6
7
void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { int i, j; unsigned int total = 0; *outl = 0;
+ show +
8
9
10
11
12
13
14
if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); if ((ctx->num + inl) < ctx->length) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return;
+ show +
15
16
17
18
19
20
21
22
23
24
} if (ctx->num != 0) { i = ctx->length - ctx->num; memcpy(&(ctx->enc_data[ctx->num]), in, i); in += i; inl -= i; j = EVP_EncodeBlock(out, ctx->enc_data, ctx->length); ctx->num = 0; out += j; *(out++) = '\n';

[openssl_CVE-2016-2106_1457048183_EVP_EncryptUpdate.diff] EVP_EncryptUpdate_OLD.c #1
bl = ctx->cipher->block_size; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { - if (i + inl < bl) { + if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2016-2106_before_1mo_1450461443_EVP_EncryptUpdate.c
20
21
22
23
24
25
26
27
28
29
if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) { if (ctx->cipher->do_cipher(ctx, out, in, inl)) { *outl = inl; return 1; } else { *outl = 0; return 0; } } i = ctx->buf_len;
+ show +
30
31
32
33
34
35
36
bl = ctx->cipher->block_size; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { if (i + inl < bl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0;
+ show +
37
38
39
40
41
42
43
44
45
46
return 1; } else { j = bl - i; memcpy(&(ctx->buf[i]), in, j); if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl)) return 0; inl -= j; in += j; out += bl; *outl = bl;

[openssl_CVE-2016-2107_1460840936_aesni_cbc_hmac_sha256_cipher.diff] aesni_cbc_hmac_sha256_cipher_OLD.c #1
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; + ret &= constant_time_ge(maxpad, pad); + inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask;
.\cloneFuncs\totalClone\Type-1\CVE-2016-2107_before_imd_1462104874_aesni_cbc_hmac_sha256_cipher.c
112
113
114
115
116
117
118
119
120
121
if (len < (iv + SHA256_DIGEST_LENGTH + 1)) return 0; /* omit explicit iv */ out += iv; len -= iv; /* figure out payload length */ pad = out[len - 1]; maxpad = len - (SHA256_DIGEST_LENGTH + 1);
+ show +
122
123
124
125
126
127
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask;
+ show +
128
129
130
131
132
133
134
135
136
137
ret &= (int)mask; key->aux.tls_aad[plen - 2] = inp_len >> 8; key->aux.tls_aad[plen - 1] = inp_len; /* calculate HMAC */ key->md = key->head; SHA256_Update(&key->md, key->aux.tls_aad, plen); # if 1
.\cloneFuncs\totalClone\Type-2\CVE-2016-2107_before_1mo_1457345847_aesni_cbc_hmac_sha256_cipher.c
112
113
114
115
116
117
118
119
120
121
if (len < (iv + SHA256_DIGEST_LENGTH + 1)) return 0; /* omit explicit iv */ out += iv; len -= iv; /* figure out payload length */ pad = out[len - 1]; maxpad = len - (SHA256_DIGEST_LENGTH + 1);
+ show +
122
123
124
125
126
127
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask;
+ show +
128
129
130
131
132
133
134
135
136
137
ret &= (int)mask; key->aux.tls_aad[plen - 2] = inp_len >> 8; key->aux.tls_aad[plen - 1] = inp_len; /* calculate HMAC */ key->md = key->head; SHA256_Update(&key->md, key->aux.tls_aad, plen); # if 1
.\cloneFuncs\totalClone\Type-3\CVE-2016-2107_before_6mo_1434005513_aesni_cbc_hmac_sha256_cipher.c
99
100
101
102
103
104
105
106
107
108
if (len < (iv + SHA256_DIGEST_LENGTH + 1)) return 0; /* omit explicit iv */ out += iv; len -= iv; /* figure out payload length */ pad = out[len - 1]; maxpad = len - (SHA256_DIGEST_LENGTH + 1);
+ show +
109
110
111
112
113
114
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask;
+ show +
115
116
117
118
119
120
121
122
123
124
ret &= (int)mask; key->aux.tls_aad[plen - 2] = inp_len >> 8; key->aux.tls_aad[plen - 1] = inp_len; /* calculate HMAC */ key->md = key->head; SHA256_Update(&key->md, key->aux.tls_aad, plen); # if 1

[openssl_CVE-2016-2108_1460684229_asn1_ex_i2c.diff] asn1_ex_i2c_OLD.c #1
cout ? &cout : NULL); case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */
.\cloneFuncs\totalClone\Type-1\CVE-2016-2108_before_1mo_1446203546_asn1_ex_i2c.c
60
61
62
63
64
65
66
67
68
69
if (!*tbool && !it->size) return -1; } c = (unsigned char)*tbool; cont = &c; len = 1; break; case V_ASN1_BIT_STRING: return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval,
+ show +
70
71
72
73
74
75
76
77
78
cout ? &cout : NULL); case V_ASN1_INTEGER: case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */
+ show +
79
80
81
82
83
84
85
86
87
88
return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL); case V_ASN1_OCTET_STRING: case V_ASN1_NUMERICSTRING: case V_ASN1_PRINTABLESTRING: case V_ASN1_T61STRING: case V_ASN1_VIDEOTEXSTRING: case V_ASN1_IA5STRING: case V_ASN1_UTCTIME: case V_ASN1_GENERALIZEDTIME:

[linux_CVE-2016-2117_1461190988_atl2_probe.diff] atl2_probe_OLD.c #1
err = -EIO; - netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX; + netdev->hw_features = NETIF_F_HW_VLAN_CTAG_RX; netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); /* Init PHY as early as possible due to power saving issue */
.\cloneFuncs\totalClone\Type-1\CVE-2016-2117_before_1mo_1421165624_atl2_probe.c
67
68
69
70
71
72
73
74
75
76
netdev->mem_start = mmio_start; netdev->mem_end = mmio_start + mmio_len; adapter->bd_number = cards_found; adapter->pci_using_64 = false; /* setup the private structure */ err = atl2_sw_init(adapter); if (err) goto err_sw_init;
+ show +
77
78
79
80
81
82
err = -EIO; netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX; netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); /* Init PHY as early as possible due to power saving issue */
+ show +
83
84
85
86
87
88
89
90
91
92
atl2_phy_init(&adapter->hw); /* reset the controller to * put the device in a known good starting state */ if (atl2_reset_hw(&adapter->hw)) { err = -EIO; goto err_reset; }

[openssl_CVE-2016-2179_1467295587_dtls1_reset_seq_numbers.diff] dtls1_reset_seq_numbers_OLD.c #1
memcpy(&s->rlayer.d->bitmap, &s->rlayer.d->next_bitmap, sizeof(s->rlayer.d->bitmap)); memset(&s->rlayer.d->next_bitmap, 0, sizeof(s->rlayer.d->next_bitmap)); + + /* + * We must not use any buffered messages received from the previous + * epoch + */ + dtls1_clear_received_buffer(s); } else { seq = s->rlayer.write_sequence; memcpy(s->rlayer.d->last_write_sequence, seq,
.\cloneFuncs\totalClone\Type-1\CVE-2016-2179_before_imd_1467382833_dtls1_reset_seq_numbers.c
1
2
3
4
5
6
7
8
void dtls1_reset_seq_numbers(SSL *s, int rw) { unsigned char *seq; unsigned int seq_bytes = sizeof(s->rlayer.read_sequence); if (rw & SSL3_CC_READ) { seq = s->rlayer.read_sequence; s->rlayer.d->r_epoch++;
+ show +
9
10
11
12
13
14
memcpy(&s->rlayer.d->bitmap, &s->rlayer.d->next_bitmap, sizeof(s->rlayer.d->bitmap)); memset(&s->rlayer.d->next_bitmap, 0, sizeof(s->rlayer.d->next_bitmap)); } else { seq = s->rlayer.write_sequence; memcpy(s->rlayer.d->last_write_sequence, seq,
+ show +
15
16
17
18
19
20
sizeof(s->rlayer.write_sequence)); s->rlayer.d->w_epoch++; } memset(seq, 0, seq_bytes); }

[openssl_CVE-2016-2181_1467382833_dtls1_process_record.diff] dtls1_process_record_OLD.c #1
-int dtls1_process_record(SSL *s) +int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) { int i, al; int enc_err;
.\cloneFuncs\totalClone\Type-1\CVE-2016-2181_before_1mo_1463509110_dtls1_process_record.c
+ show +
1
2
3
4
int dtls1_process_record(SSL *s) { int i, al; int enc_err;
+ show +
5
6
7
8
9
10
11
12
13
14
SSL_SESSION *sess; SSL3_RECORD *rr; unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; rr = RECORD_LAYER_get_rrec(&s->rlayer); sess = s->session; /* * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
.\cloneFuncs\totalClone\Type-2\CVE-2016-2181_before_6mo_1450788481_dtls1_process_record.c
+ show +
1
2
3
4
int dtls1_process_record(SSL *s) { int i, al; int enc_err;
+ show +
5
6
7
8
9
10
11
12
13
14
SSL_SESSION *sess; SSL3_RECORD *rr; unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; rr = RECORD_LAYER_get_rrec(&s->rlayer); sess = s->session; /* * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,

[openssl_CVE-2016-2181_1467382833_dtls1_process_record.diff] dtls1_process_record_OLD.c #2
/* we have pulled in a full packet so zero things */ RECORD_LAYER_reset_packet_length(&s->rlayer); + + /* Mark receipt of record. */ + dtls1_record_bitmap_update(s, bitmap); + return (1); f_err:
.\cloneFuncs\totalClone\Type-1\CVE-2016-2181_before_1mo_1463509110_dtls1_process_record.c
145
146
147
148
149
150
151
152
153
154
rr->off = 0; /*- * So at this point the following is true * ssl->s3->rrec.type is the type of record * ssl->s3->rrec.length == number of bytes in record * ssl->s3->rrec.off == offset to first valid byte * ssl->s3->rrec.data == where to take bytes from, increment * after use :-). */
+ show +
155
156
157
158
159
/* we have pulled in a full packet so zero things */ RECORD_LAYER_reset_packet_length(&s->rlayer); return (1); f_err:
+ show +
160
161
162
163
ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (0); }
.\cloneFuncs\totalClone\Type-2\CVE-2016-2181_before_6mo_1450788481_dtls1_process_record.c
145
146
147
148
149
150
151
152
153
154
rr->off = 0; /*- * So at this point the following is true * ssl->s3->rrec.type is the type of record * ssl->s3->rrec.length == number of bytes in record * ssl->s3->rrec.off == offset to first valid byte * ssl->s3->rrec.data == where to take bytes from, increment * after use :-). */
+ show +
155
156
157
158
159
/* we have pulled in a full packet so zero things */ RECORD_LAYER_reset_packet_length(&s->rlayer); return (1); f_err:
+ show +
160
161
162
163
ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (0); }

[openssl_CVE-2016-2181_1467382833_dtls1_get_record.diff] dtls1_get_record_OLD.c #1
* The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ - if (dtls1_process_buffered_records(s) < 0) + if (!dtls1_process_buffered_records(s)) return -1; /* if we're renegotiating, then there may be buffered records */
.\cloneFuncs\totalClone\Type-1\CVE-2016-2181_before_imd_1467708668_dtls1_get_record.c
5
6
7
8
9
10
11
12
13
14
SSL3_RECORD *rr; unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr = RECORD_LAYER_get_rrec(&s->rlayer); again: /*
+ show +
15
16
17
18
19
20
21
* The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ if (dtls1_process_buffered_records(s) < 0) return -1; /* if we're renegotiating, then there may be buffered records */
+ show +
22
23
24
25
26
27
28
29
30
31
if (dtls1_get_processed_record(s)) return 1; /* get something from the wire */ /* check if we have the header */ if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) { n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1);
.\cloneFuncs\totalClone\Type-3\CVE-2016-2181_before_1mo_1463509110_dtls1_get_record.c
4
5
6
7
8
9
10
11
12
13
int i, n; SSL3_RECORD *rr; unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr = RECORD_LAYER_get_rrec(&s->rlayer); /*
+ show +
14
15
16
17
18
19
20
* The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ if (dtls1_process_buffered_records(s) < 0) return -1; /* if we're renegotiating, then there may be buffered records */
+ show +
21
22
23
24
25
26
27
28
29
30
if (dtls1_get_processed_record(s)) return 1; /* get something from the wire */ again: /* check if we have the header */ if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) { n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1);
.\cloneFuncs\totalClone\Type-3\CVE-2016-2181_before_6mo_1450788481_dtls1_get_record.c
4
5
6
7
8
9
10
11
12
13
int i, n; SSL3_RECORD *rr; unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr = RECORD_LAYER_get_rrec(&s->rlayer); /*
+ show +
14
15
16
17
18
19
20
* The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ if (dtls1_process_buffered_records(s) < 0) return -1; /* if we're renegotiating, then there may be buffered records */
+ show +
21
22
23
24
25
26
27
28
29
30
if (dtls1_get_processed_record(s)) return 1; /* get something from the wire */ again: /* check if we have the header */ if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) { n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
.\cloneFuncs\totalClone\Type-4\CVE-2015-0206_after_1mo_1423237932_dtls1_get_record.c
4
5
6
7
8
9
10
11
12
13
int i, n; SSL3_RECORD *rr; unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr = &(s->s3->rrec); /*
+ show +
14
15
16
17
18
19
20
* The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ if (dtls1_process_buffered_records(s) < 0) return -1; /* if we're renegotiating, then there may be buffered records */
+ show +
21
22
23
24
25
26
27
28
29
30
if (dtls1_get_processed_record(s)) return 1; /* get something from the wire */ again: /* check if we have the header */ if ((s->rstate != SSL_ST_READ_BODY) || (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); /* read timeout is handled by dtls1_read_bytes */

[openssl_CVE-2016-2181_1467382833_dtls1_get_record.diff] dtls1_get_record_OLD.c #2
if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { #endif /* Check whether this is a repeat, or aged record. */ + /* + * TODO: Does it make sense to have replay protection in epoch 0 where + * we have no integrity negotiated yet? + */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
.\cloneFuncs\totalClone\Type-1\CVE-2016-2181_before_imd_1467708668_dtls1_get_record.c
113
114
115
116
117
118
119
120
121
122
/* match epochs. NULL means the packet is dropped on the floor */ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); if (bitmap == NULL) { rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } #ifndef OPENSSL_NO_SCTP /* Only do replay check if no SCTP bio */
+ show +
123
124
125
126
127
128
if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { #endif /* Check whether this is a repeat, or aged record. */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
+ show +
129
130
131
132
133
134
135
136
137
138
goto again; /* get another record */ } #ifndef OPENSSL_NO_SCTP } #endif /* just read a 0 length packet */ if (rr->length == 0) goto again;
.\cloneFuncs\totalClone\Type-3\CVE-2016-2181_before_1mo_1463509110_dtls1_get_record.c
111
112
113
114
115
116
117
118
119
120
/* match epochs. NULL means the packet is dropped on the floor */ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); if (bitmap == NULL) { rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } #ifndef OPENSSL_NO_SCTP /* Only do replay check if no SCTP bio */
+ show +
121
122
123
124
125
126
if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { #endif /* Check whether this is a repeat, or aged record. */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
+ show +
127
128
129
130
131
132
133
134
135
136
goto again; /* get another record */ } #ifndef OPENSSL_NO_SCTP } #endif /* just read a 0 length packet */ if (rr->length == 0) goto again;
.\cloneFuncs\totalClone\Type-3\CVE-2016-2181_before_6mo_1450788481_dtls1_get_record.c
111
112
113
114
115
116
117
118
119
120
/* match epochs. NULL means the packet is dropped on the floor */ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); if (bitmap == NULL) { rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } #ifndef OPENSSL_NO_SCTP /* Only do replay check if no SCTP bio */
+ show +
121
122
123
124
125
126
if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { #endif /* Check whether this is a repeat, or aged record. */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
+ show +
127
128
129
130
131
132
133
134
135
136
goto again; /* get another record */ } #ifndef OPENSSL_NO_SCTP } #endif /* just read a 0 length packet */ if (rr->length == 0) goto again;

[ffmpeg_CVE-2016-2326_1457105527_asf_write_header1.diff] asf_write_header1_OLD.c #1
AVCodecParameters *par; int64_t header_offset, cur_pos, hpos; int bit_rate; - int64_t duration; + uint64_t play_duration, send_duration; ff_metadata_conv(&s->metadata, ff_asf_metadata_conv, NULL);
.\cloneFuncs\totalClone\Type-1\CVE-2016-2326_before_imd_1403116972_asf_write_header1.c
1
2
3
4
5
6
7
8
9
static int asf_write_header1(AVFormatContext *s, int64_t file_size, int64_t data_chunk_size) { ASFContext *asf = s->priv_data; AVIOContext *pb = s->pb; AVDictionaryEntry *tags[5]; int header_size, n, extra_size, extra_size2, wav_extra_size, file_time; int has_title; int metadata_count;
+ show +
10
11
12
13
14
15
AVCodecParameters *par; int64_t header_offset, cur_pos, hpos; int bit_rate; int64_t duration; ff_metadata_conv(&s->metadata, ff_asf_metadata_conv, NULL);
+ show +
16
17
18
19
20
21
22
23
24
25
tags[0] = av_dict_get(s->metadata, "title", NULL, 0); tags[1] = av_dict_get(s->metadata, "author", NULL, 0); tags[2] = av_dict_get(s->metadata, "copyright", NULL, 0); tags[3] = av_dict_get(s->metadata, "comment", NULL, 0); tags[4] = av_dict_get(s->metadata, "rating", NULL, 0); duration = asf->duration + PREROLL_TIME * 10000; has_title = tags[0] || tags[1] || tags[2] || tags[3] || tags[4]; metadata_count = av_dict_count(s->metadata);

[ffmpeg_CVE-2016-2326_1457105527_asf_write_header1.diff] asf_write_header1_OLD.c #2
tags[3] = av_dict_get(s->metadata, "comment", NULL, 0); tags[4] = av_dict_get(s->metadata, "rating", NULL, 0); - duration = asf->duration + PREROLL_TIME * 10000; + if (asf->duration > UINT64_MAX / 10000 - PREROLL_TIME) { + av_log(s, AV_LOG_WARNING, "Duration %"PRIu64" too large\n", asf->duration); + if (s->error_recognition & AV_EF_EXPLODE) + return AVERROR(ERANGE); + send_duration = 0; + play_duration = 0; + } else { + send_duration = asf->duration * 10000; + play_duration = (asf->duration + PREROLL_TIME) * 10000; + } + has_title = tags[0] || tags[1] || tags[2] || tags[3] || tags[4]; metadata_count = av_dict_count(s->metadata);
.\cloneFuncs\totalClone\Type-1\CVE-2016-2326_before_imd_1403116972_asf_write_header1.c
10
11
12
13
14
15
16
17
18
19
AVCodecParameters *par; int64_t header_offset, cur_pos, hpos; int bit_rate; int64_t duration; ff_metadata_conv(&s->metadata, ff_asf_metadata_conv, NULL); tags[0] = av_dict_get(s->metadata, "title", NULL, 0); tags[1] = av_dict_get(s->metadata, "author", NULL, 0); tags[2] = av_dict_get(s->metadata, "copyright", NULL, 0);
+ show +
20
21
22
23
24
25
tags[3] = av_dict_get(s->metadata, "comment", NULL, 0); tags[4] = av_dict_get(s->metadata, "rating", NULL, 0); duration = asf->duration + PREROLL_TIME * 10000; has_title = tags[0] || tags[1] || tags[2] || tags[3] || tags[4]; metadata_count = av_dict_count(s->metadata);
+ show +
26
27
28
29
30
31
32
33
34
35
bit_rate = 0; for (n = 0; n < s->nb_streams; n++) { par = s->streams[n]->codecpar; avpriv_set_pts_info(s->streams[n], 32, 1, 1000); /* 32 bit pts in ms */ bit_rate += par->bit_rate; }
.\cloneFuncs\totalClone\Type-2\CVE-2016-2326_before_1mo_1434372885_asf_write_header1.c
10
11
12
13
14
15
16
17
18
19
AVCodecContext *enc; int64_t header_offset, cur_pos, hpos; int bit_rate; int64_t duration; ff_metadata_conv(&s->metadata, ff_asf_metadata_conv, NULL); tags[0] = av_dict_get(s->metadata, "title", NULL, 0); tags[1] = av_dict_get(s->metadata, "author", NULL, 0); tags[2] = av_dict_get(s->metadata, "copyright", NULL, 0);
+ show +
20
21
22
23
24
25
tags[3] = av_dict_get(s->metadata, "comment", NULL, 0); tags[4] = av_dict_get(s->metadata, "rating", NULL, 0); duration = asf->duration + PREROLL_TIME * 10000; has_title = tags[0] || tags[1] || tags[2] || tags[3] || tags[4]; metadata_count = av_dict_count(s->metadata);
+ show +
26
27
28
29
30
31
32
33
34
35
bit_rate = 0; for (n = 0; n < s->nb_streams; n++) { enc = s->streams[n]->codec; avpriv_set_pts_info(s->streams[n], 32, 1, 1000); /* 32 bit pts in ms */ bit_rate += enc->bit_rate; }

[ffmpeg_CVE-2016-2326_1457105527_asf_write_header1.diff] asf_write_header1_OLD.c #3
file_time = 0; avio_wl64(pb, unix_to_file_time(file_time)); avio_wl64(pb, asf->nb_packets); /* number of packets */ - avio_wl64(pb, duration); /* end time stamp (in 100ns units) */ - avio_wl64(pb, asf->duration); /* duration (in 100ns units) */ + avio_wl64(pb, play_duration); /* end time stamp (in 100ns units) */ + avio_wl64(pb, send_duration); /* duration (in 100ns units) */ avio_wl64(pb, PREROLL_TIME); /* start time stamp */ avio_wl32(pb, (asf->is_streamed || !pb->seekable) ? 3 : 2); /* ??? */ avio_wl32(pb, s->packet_size); /* packet size */
.\cloneFuncs\totalClone\Type-1\CVE-2016-2326_before_imd_1403116972_asf_write_header1.c
41
42
43
44
45
46
47
48
49
50
avio_wl64(pb, -1); /* header length, will be patched after */ avio_wl32(pb, 3 + has_title + !!metadata_count + s->nb_streams); /* number of chunks in header */ avio_w8(pb, 1); /* ??? */ avio_w8(pb, 2); /* ??? */ /* file header */ header_offset = avio_tell(pb); hpos = put_header(pb, &ff_asf_file_header); put_guid(pb, &ff_asf_my_guid); avio_wl64(pb, file_size);
+ show +
51
52
53
54
55
56
57
58
file_time = 0; avio_wl64(pb, unix_to_file_time(file_time)); avio_wl64(pb, asf->nb_packets); /* number of packets */ avio_wl64(pb, duration); /* end time stamp (in 100ns units) */ avio_wl64(pb, asf->duration); /* duration (in 100ns units) */ avio_wl64(pb, PREROLL_TIME); /* start time stamp */ avio_wl32(pb, (asf->is_streamed || !pb->seekable) ? 3 : 2); /* ??? */ avio_wl32(pb, s->packet_size); /* packet size */
+ show +
59
60
61
62
63
64
65
66
67
68
avio_wl32(pb, s->packet_size); /* packet size */ avio_wl32(pb, bit_rate); /* Nominal data rate in bps */ end_header(pb, hpos); /* unknown headers */ hpos = put_header(pb, &ff_asf_head1_guid); put_guid(pb, &ff_asf_head2_guid); avio_wl32(pb, 6); avio_wl16(pb, 0); end_header(pb, hpos);
.\cloneFuncs\totalClone\Type-2\CVE-2016-2326_before_1mo_1434372885_asf_write_header1.c
41
42
43
44
45
46
47
48
49
50
avio_wl64(pb, -1); /* header length, will be patched after */ avio_wl32(pb, 3 + has_title + !!metadata_count + s->nb_streams); /* number of chunks in header */ avio_w8(pb, 1); /* ??? */ avio_w8(pb, 2); /* ??? */ /* file header */ header_offset = avio_tell(pb); hpos = put_header(pb, &ff_asf_file_header); put_guid(pb, &ff_asf_my_guid); avio_wl64(pb, file_size);
+ show +
51
52
53
54
55
56
57
58
file_time = 0; avio_wl64(pb, unix_to_file_time(file_time)); avio_wl64(pb, asf->nb_packets); /* number of packets */ avio_wl64(pb, duration); /* end time stamp (in 100ns units) */ avio_wl64(pb, asf->duration); /* duration (in 100ns units) */ avio_wl64(pb, PREROLL_TIME); /* start time stamp */ avio_wl32(pb, (asf->is_streamed || !pb->seekable) ? 3 : 2); /* ??? */ avio_wl32(pb, s->packet_size); /* packet size */
+ show +
59
60
61
62
63
64
65
66
67
68
avio_wl32(pb, s->packet_size); /* packet size */ avio_wl32(pb, bit_rate); /* Nominal data rate in bps */ end_header(pb, hpos); /* unknown headers */ hpos = put_header(pb, &ff_asf_head1_guid); put_guid(pb, &ff_asf_head2_guid); avio_wl32(pb, 6); avio_wl16(pb, 0); end_header(pb, hpos);

[ffmpeg_CVE-2016-2326_1457105527_asf_write_packet.diff] asf_write_packet_OLD.c #1
ASFContext *asf = s->priv_data; AVIOContext *pb = s->pb; ASFStream *stream; - int64_t duration; AVCodecParameters *par; int64_t packet_st, pts; int start_sec, i;
.\cloneFuncs\totalClone\Type-1\CVE-2016-2326_before_imd_1403116972_asf_write_packet.c
1
2
static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) {
+ show +
3
4
5
6
7
8
9
ASFContext *asf = s->priv_data; AVIOContext *pb = s->pb; ASFStream *stream; int64_t duration; AVCodecParameters *par; int64_t packet_st, pts; int start_sec, i;
+ show +
10
11
12
13
14
15
16
17
18
19
int flags = pkt->flags; uint64_t offset = avio_tell(pb); par = s->streams[pkt->stream_index]->codecpar; stream = &asf->streams[pkt->stream_index]; if (par->codec_type == AVMEDIA_TYPE_AUDIO) flags &= ~AV_PKT_FLAG_KEY; pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts;

[ffmpeg_CVE-2016-2326_1457105527_asf_write_packet.diff] asf_write_packet_OLD.c #2
pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; assert(pts != AV_NOPTS_VALUE); - duration = pts * 10000; - asf->duration = FFMAX(asf->duration, duration + pkt->duration * 10000); + + if (pts > UINT64_MAX - pkt->duration) + return AVERROR(ERANGE); + asf->duration = FFMAX(asf->duration, pts + pkt->duration); packet_st = asf->nb_packets; put_frame(s, stream, s->streams[pkt->stream_index],
.\cloneFuncs\totalClone\Type-1\CVE-2016-2326_before_imd_1403116972_asf_write_packet.c
9
10
11
12
13
14
15
16
17
18
int start_sec, i; int flags = pkt->flags; uint64_t offset = avio_tell(pb); par = s->streams[pkt->stream_index]->codecpar; stream = &asf->streams[pkt->stream_index]; if (par->codec_type == AVMEDIA_TYPE_AUDIO) flags &= ~AV_PKT_FLAG_KEY;
+ show +
19
20
21
22
23
24
25
pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; assert(pts != AV_NOPTS_VALUE); duration = pts * 10000; asf->duration = FFMAX(asf->duration, duration + pkt->duration * 10000); packet_st = asf->nb_packets; put_frame(s, stream, s->streams[pkt->stream_index],
+ show +
26
27
28
29
30
31
32
33
34
35
pkt->dts, pkt->data, pkt->size, flags); /* check index */ if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { start_sec = (int)(duration / INT64_C(10000000)); if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { for (i = asf->nb_index_count; i < start_sec; i++) { if (i >= asf->nb_index_memory_alloc) { int err; asf->nb_index_memory_alloc += ASF_INDEX_BLOCK;
.\cloneFuncs\totalClone\Type-2\CVE-2016-2326_before_1mo_1434372885_asf_write_packet.c
9
10
11
12
13
14
15
16
17
18
int start_sec, i; int flags = pkt->flags; uint64_t offset = avio_tell(pb); codec = s->streams[pkt->stream_index]->codec; stream = &asf->streams[pkt->stream_index]; if (codec->codec_type == AVMEDIA_TYPE_AUDIO) flags &= ~AV_PKT_FLAG_KEY;
+ show +
19
20
21
22
23
24
25
pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; assert(pts != AV_NOPTS_VALUE); duration = pts * 10000; asf->duration = FFMAX(asf->duration, duration + pkt->duration * 10000); packet_st = asf->nb_packets; put_frame(s, stream, s->streams[pkt->stream_index],
+ show +
26
27
28
29
30
31
32
33
34
35
pkt->dts, pkt->data, pkt->size, flags); /* check index */ if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { start_sec = (int)(duration / INT64_C(10000000)); if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { for (i = asf->nb_index_count; i < start_sec; i++) { if (i >= asf->nb_index_memory_alloc) { int err; asf->nb_index_memory_alloc += ASF_INDEX_BLOCK;

[ffmpeg_CVE-2016-2326_1457105527_asf_write_packet.diff] asf_write_packet_OLD.c #3
/* check index */ if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { - start_sec = (int)(duration / INT64_C(10000000)); - if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { + if (pts / 1000LL > INT_MAX) + return AVERROR(ERANGE); + + start_sec = pts / 1000; + if (start_sec != asf->last_indexed_pts / 1000) { for (i = asf->nb_index_count; i < start_sec; i++) { if (i >= asf->nb_index_memory_alloc) { int err;
.\cloneFuncs\totalClone\Type-1\CVE-2016-2326_before_imd_1403116972_asf_write_packet.c
18
19
20
21
22
23
24
25
26
27
pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; assert(pts != AV_NOPTS_VALUE); duration = pts * 10000; asf->duration = FFMAX(asf->duration, duration + pkt->duration * 10000); packet_st = asf->nb_packets; put_frame(s, stream, s->streams[pkt->stream_index], pkt->dts, pkt->data, pkt->size, flags);
+ show +
28
29
30
31
32
33
34
/* check index */ if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { start_sec = (int)(duration / INT64_C(10000000)); if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { for (i = asf->nb_index_count; i < start_sec; i++) { if (i >= asf->nb_index_memory_alloc) { int err;
+ show +
35
36
37
38
39
40
41
42
43
44
asf->nb_index_memory_alloc += ASF_INDEX_BLOCK; if ((err = av_reallocp_array(&asf->index_ptr, asf->nb_index_memory_alloc, sizeof(*asf->index_ptr))) < 0) { asf->nb_index_memory_alloc = 0; return err; } } // store asf->index_ptr[i].packet_number = (uint32_t)packet_st;
.\cloneFuncs\totalClone\Type-2\CVE-2016-2326_before_1mo_1434372885_asf_write_packet.c
18
19
20
21
22
23
24
25
26
27
pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; assert(pts != AV_NOPTS_VALUE); duration = pts * 10000; asf->duration = FFMAX(asf->duration, duration + pkt->duration * 10000); packet_st = asf->nb_packets; put_frame(s, stream, s->streams[pkt->stream_index], pkt->dts, pkt->data, pkt->size, flags);
+ show +
28
29
30
31
32
33
34
/* check index */ if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { start_sec = (int)(duration / INT64_C(10000000)); if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { for (i = asf->nb_index_count; i < start_sec; i++) { if (i >= asf->nb_index_memory_alloc) { int err;
+ show +
35
36
37
38
39
40
41
42
43
44
asf->nb_index_memory_alloc += ASF_INDEX_BLOCK; if ((err = av_reallocp_array(&asf->index_ptr, asf->nb_index_memory_alloc, sizeof(*asf->index_ptr))) < 0) { asf->nb_index_memory_alloc = 0; return err; } } // store asf->index_ptr[i].packet_number = (uint32_t)packet_st;

[ffmpeg_CVE-2016-3062_1457434636_mov_read_dref.diff] mov_read_dref_OLD.c #1
avio_rb32(pb); // version + flags entries = avio_rb32(pb); - if (entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 || + if (!entries || + entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 || entries >= UINT_MAX / sizeof(*sc->drefs)) return AVERROR_INVALIDDATA; + sc->drefs_count = 0; av_free(sc->drefs); sc->drefs = av_mallocz(entries * sizeof(*sc->drefs)); if (!sc->drefs)
.\cloneFuncs\totalClone\Type-1\CVE-2016-3062_before_imd_1455590647_mov_read_dref.c
2
3
4
5
6
7
8
9
10
11
{ AVStream *st; MOVStreamContext *sc; int entries, i, j; if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data;
+ show +
12
13
14
15
16
17
18
19
avio_rb32(pb); // version + flags entries = avio_rb32(pb); if (entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 || entries >= UINT_MAX / sizeof(*sc->drefs)) return AVERROR_INVALIDDATA; av_free(sc->drefs); sc->drefs = av_mallocz(entries * sizeof(*sc->drefs)); if (!sc->drefs)
+ show +
20
21
22
23
24
25
26
27
28
29
return AVERROR(ENOMEM); sc->drefs_count = entries; for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); int64_t next = avio_tell(pb) + size - 4; if (size < 12) return AVERROR_INVALIDDATA;
.\cloneFuncs\totalClone\Type-3\CVE-2016-3062_before_1mo_1452963223_mov_read_dref.c
2
3
4
5
6
7
8
9
10
11
{ AVStream *st; MOVStreamContext *sc; int entries, i, j; if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data;
+ show +
12
13
14
15
16
17
18
19
avio_rb32(pb); // version + flags entries = avio_rb32(pb); if (entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 || entries >= UINT_MAX / sizeof(*sc->drefs)) return AVERROR_INVALIDDATA; av_free(sc->drefs); sc->drefs = av_mallocz(entries * sizeof(*sc->drefs)); if (!sc->drefs)
+ show +
20
21
22
23
24
25
26
27
28
29
return AVERROR(ENOMEM); sc->drefs_count = entries; for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); int64_t next = avio_tell(pb) + size - 4; if (size < 12) return AVERROR_INVALIDDATA;
.\cloneFuncs\totalClone\Type-3\CVE-2016-3062_before_6mo_1441188345_mov_read_dref.c
2
3
4
5
6
7
8
9
10
11
{ AVStream *st; MOVStreamContext *sc; int entries, i, j; if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data;
+ show +
12
13
14
15
16
17
18
19
avio_rb32(pb); // version + flags entries = avio_rb32(pb); if (entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 || entries >= UINT_MAX / sizeof(*sc->drefs)) return AVERROR_INVALIDDATA; av_free(sc->drefs); sc->drefs = av_mallocz(entries * sizeof(*sc->drefs)); if (!sc->drefs)
+ show +
20
21
22
23
24
25
26
27
28
29
return AVERROR(ENOMEM); sc->drefs_count = entries; for (i = 0; i < sc->drefs_count; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); int64_t next = avio_tell(pb) + size - 4; if (size < 12) return AVERROR_INVALIDDATA;

[linux_CVE-2016-3137_1459440265_cypress_generic_port_probe.diff] cypress_generic_port_probe_OLD.c #1
struct usb_serial *serial = port->serial; struct cypress_private *priv; + if (!port->interrupt_out_urb || !port->interrupt_in_urb) { + dev_err(&port->dev, "required endpoint is missing\n"); + return -ENODEV; + } + priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); if (!priv) return -ENOMEM;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3137_before_1mo_1394647782_cypress_generic_port_probe.c
1
2
static int cypress_generic_port_probe(struct usb_serial_port *port) {
+ show +
3
4
5
6
7
8
struct usb_serial *serial = port->serial; struct cypress_private *priv; priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); if (!priv) return -ENOMEM;
+ show +
9
10
11
12
13
14
15
16
17
18
priv->comm_is_ok = !0; spin_lock_init(&priv->lock); if (kfifo_alloc(&priv->write_fifo, CYPRESS_BUF_SIZE, GFP_KERNEL)) { kfree(priv); return -ENOMEM; } /* Skip reset for FRWD device. It is a workaound: device hangs if it receives SET_CONFIGURE in Configured

[linux_CVE-2016-3137_1459440265_cypress_open.diff] cypress_open_OLD.c #1
cypress_set_termios(tty, port, &priv->tmp_termios); /* setup the port and start reading from the device */ - if (!port->interrupt_in_urb) { - dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", - __func__); - return -1; - } - usb_fill_int_urb(port->interrupt_in_urb, serial->dev, usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), port->interrupt_in_urb->transfer_buffer,
.\cloneFuncs\totalClone\Type-1\CVE-2016-3137_before_1mo_1394647782_cypress_open.c
17
18
19
20
21
22
23
24
25
26
priv->bytes_in = 0; priv->bytes_out = 0; priv->cmd_count = 0; priv->rx_flags = 0; spin_unlock_irqrestore(&priv->lock, flags); /* Set termios */ cypress_send(port); if (tty)
+ show +
27
28
29
30
31
32
33
34
35
36
37
38
cypress_set_termios(tty, port, &priv->tmp_termios); /* setup the port and start reading from the device */ if (!port->interrupt_in_urb) { dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", __func__); return -1; } usb_fill_int_urb(port->interrupt_in_urb, serial->dev, usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), port->interrupt_in_urb->transfer_buffer,
+ show +
39
40
41
42
43
44
45
46
47
48
port->interrupt_in_urb->transfer_buffer_length, cypress_read_int_callback, port, priv->read_urb_interval); result = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL); if (result) { dev_err(&port->dev, "%s - failed submitting read urb, error %d\n", __func__, result); cypress_set_dead(port); }

[libtiff_CVE-2016-3622_1474758715_PredictorSetup.diff] PredictorSetup_OLD.c #1
td->td_sampleformat); return 0; } + if (td->td_bitspersample != 16 + && td->td_bitspersample != 24 + && td->td_bitspersample != 32 + && td->td_bitspersample != 64) { /* Should 64 be allowed? */ + TIFFErrorExt(tif->tif_clientdata, module, + "Floating point \"Predictor\" not supported with %d-bit samples", + td->td_bitspersample); + return 0; + } break; default: TIFFErrorExt(tif->tif_clientdata, module,
.\cloneFuncs\totalClone\Type-1\CVE-2016-3622_before_1mo_1448206263_PredictorSetup.c
17
18
19
20
21
22
23
24
25
26
TIFFErrorExt(tif->tif_clientdata, module, "Horizontal differencing \"Predictor\" not supported with %d-bit samples", td->td_bitspersample); return 0; } break; case PREDICTOR_FLOATINGPOINT: if (td->td_sampleformat != SAMPLEFORMAT_IEEEFP) { TIFFErrorExt(tif->tif_clientdata, module, "Floating point \"Predictor\" not supported with %d data format",
+ show +
27
28
29
30
31
32
td->td_sampleformat); return 0; } break; default: TIFFErrorExt(tif->tif_clientdata, module,
+ show +
33
34
35
36
37
38
39
40
41
42
"\"Predictor\" value %d not supported", sp->predictor); return 0; } sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1); /* * Calculate the scanline/tile-width size in bytes. */ if (isTiled(tif))

[qemu_CVE-2016-3712_1463475294_vbe_update_vgaregs.diff] vbe_update_vgaregs_OLD.c #1
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { shift_control = 0; - s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ + s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ } else { shift_control = 2; /* set chain 4 mode */ - s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; + s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; /* activate all planes */ - s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; + s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; } s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | (shift_control << 5);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_after_imd_1461672694_vbe_ioport_write_data.c
60
61
62
63
64
65
66
67
68
69
/* height (only meaningful if < 1024) */ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; s->cr[VGA_CRTC_V_DISP_END] = h; s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | ((h >> 7) & 0x02) | ((h >> 3) & 0x40); /* line compare to 1023 */ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; s->cr[VGA_CRTC_OVERFLOW] |= 0x10; s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
+ show +
70
71
72
73
74
75
76
77
78
79
80
81
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { shift_control = 0; s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ } else { shift_control = 2; /* set chain 4 mode */ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; /* activate all planes */ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; } s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | (shift_control << 5);
+ show +
82
83
84
85
86
87
88
89
90
91
s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ } else { s->bank_offset = 0; } s->dac_8bit = (val & VBE_DISPI_8BIT_DAC) > 0; s->vbe_regs[s->vbe_index] = val; vga_update_memory_access(s); break; default: break;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_before_1mo_1457942488_vbe_ioport_write_data.c
64
65
66
67
68
69
70
71
72
73
/* height (only meaningful if < 1024) */ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; s->cr[VGA_CRTC_V_DISP_END] = h; s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | ((h >> 7) & 0x02) | ((h >> 3) & 0x40); /* line compare to 1023 */ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; s->cr[VGA_CRTC_OVERFLOW] |= 0x10; s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
+ show +
74
75
76
77
78
79
80
81
82
83
84
85
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { shift_control = 0; s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ } else { shift_control = 2; /* set chain 4 mode */ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; /* activate all planes */ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; } s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | (shift_control << 5);
+ show +
86
87
88
89
90
91
92
93
94
95
s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ } else { s->bank_offset = 0; } s->dac_8bit = (val & VBE_DISPI_8BIT_DAC) > 0; s->vbe_regs[s->vbe_index] = val; vga_update_memory_access(s); break; default: break;

[qemu_CVE-2016-3712_1463475294_vga_mem_readb.diff] vga_mem_readb_OLD.c #1
break; } - if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { + if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { /* chain 4 mode : simplest access */ assert(addr < s->vram_size); ret = s->vram_ptr[addr];
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_after_imd_1461672694_vga_mem_readb.c
17
18
19
20
21
22
23
24
25
26
case 2: addr -= 0x10000; if (addr >= 0x8000) return 0xff; break; default: case 3: addr -= 0x18000; if (addr >= 0x8000) return 0xff;
+ show +
27
28
29
30
31
32
33
break; } if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { /* chain 4 mode : simplest access */ assert(addr < s->vram_size); ret = s->vram_ptr[addr];
+ show +
34
35
36
37
38
39
40
41
42
43
} else if (s->gr[VGA_GFX_MODE] & 0x10) { /* odd/even mode (aka text mode mapping) */ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); addr = ((addr & ~1) << 1) | plane; if (addr >= s->vram_size) { return 0xff; } ret = s->vram_ptr[addr]; } else { /* standard VGA latched access */

[qemu_CVE-2016-3712_1463475294_vga_mem_writeb.diff] vga_mem_writeb_OLD.c #1
break; } - if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { + if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { /* chain 4 mode : simplest access */ plane = addr & 3; mask = (1 << plane); - if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { + if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { assert(addr < s->vram_size); s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_after_imd_1461672694_vga_mem_writeb.c
20
21
22
23
24
25
26
27
28
29
case 2: addr -= 0x10000; if (addr >= 0x8000) return; break; default: case 3: addr -= 0x18000; if (addr >= 0x8000) return;
+ show +
30
31
32
33
34
35
36
37
38
39
40
break; } if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { /* chain 4 mode : simplest access */ plane = addr & 3; mask = (1 << plane); if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { assert(addr < s->vram_size); s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM
+ show +
41
42
43
44
45
46
47
48
49
50
printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); #endif s->plane_updated |= mask; /* only used to detect font change */ memory_region_set_dirty(&s->vram, addr, 1); } } else if (s->gr[VGA_GFX_MODE] & 0x10) { /* odd/even mode (aka text mode mapping) */ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); mask = (1 << plane); if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {

[qemu_CVE-2016-3712_1463475294_vga_mem_writeb.diff] vga_mem_writeb_OLD.c #2
/* odd/even mode (aka text mode mapping) */ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); mask = (1 << plane); - if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { + if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { addr = ((addr & ~1) << 1) | plane; if (addr >= s->vram_size) { return;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_after_imd_1461672694_vga_mem_writeb.c
37
38
39
40
41
42
43
44
45
46
if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { assert(addr < s->vram_size); s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); #endif s->plane_updated |= mask; /* only used to detect font change */ memory_region_set_dirty(&s->vram, addr, 1); } } else if (s->gr[VGA_GFX_MODE] & 0x10) {
+ show +
47
48
49
50
51
52
53
/* odd/even mode (aka text mode mapping) */ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); mask = (1 << plane); if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { addr = ((addr & ~1) << 1) | plane; if (addr >= s->vram_size) { return;
+ show +
54
55
56
57
58
59
60
61
62
63
} s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr); #endif s->plane_updated |= mask; /* only used to detect font change */ memory_region_set_dirty(&s->vram, addr, 1); } } else { /* standard VGA latched access */

[qemu_CVE-2016-3712_1463475294_vga_mem_writeb.diff] vga_mem_writeb_OLD.c #3
do_write: /* mask data according to sr[2] */ - mask = s->sr[VGA_SEQ_PLANE_WRITE]; + mask = sr(s, VGA_SEQ_PLANE_WRITE); s->plane_updated |= mask; /* only used to detect font change */ write_mask = mask16[mask]; if (addr * sizeof(uint32_t) >= s->vram_size) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_after_imd_1461672694_vga_mem_writeb.c
113
114
115
116
117
118
119
120
121
122
/* xor */ val ^= s->latch; break; } /* apply bit mask */ bit_mask |= bit_mask << 8; bit_mask |= bit_mask << 16; val = (val & bit_mask) | (s->latch & ~bit_mask);
+ show +
123
124
125
126
127
128
do_write: /* mask data according to sr[2] */ mask = s->sr[VGA_SEQ_PLANE_WRITE]; s->plane_updated |= mask; /* only used to detect font change */ write_mask = mask16[mask]; if (addr * sizeof(uint32_t) >= s->vram_size) {
+ show +
129
130
131
132
133
134
135
136
137
138
return; } ((uint32_t *)s->vram_ptr)[addr] = (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | (val & write_mask); #ifdef DEBUG_VGA_MEM printf("vga: latch: [0x" TARGET_FMT_plx "] mask=0x%08x val=0x%08x\n", addr * 4, write_mask, val); #endif memory_region_set_dirty(&s->vram, addr << 2, sizeof(uint32_t));

[qemu_CVE-2016-3712_1463475294_vga_update_memory_access.diff] vga_update_memory_access_OLD.c #1
s->has_chain4_alias = false; s->plane_updated = 0xf; } - if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) == - VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { + if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) == + VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { offset = 0; switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) { case 0:
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_after_imd_1461672694_vga_update_memory_access.c
2
3
4
5
6
7
8
9
10
11
{ hwaddr base, offset, size; if (s->legacy_address_space == NULL) { return; } if (s->has_chain4_alias) { memory_region_del_subregion(s->legacy_address_space, &s->chain4_alias); object_unparent(OBJECT(&s->chain4_alias));
+ show +
12
13
14
15
16
17
18
19
s->has_chain4_alias = false; s->plane_updated = 0xf; } if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) == VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { offset = 0; switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) { case 0:
+ show +
20
21
22
23
24
25
26
27
28
29
base = 0xa0000; size = 0x20000; break; case 1: base = 0xa0000; size = 0x10000; offset = s->bank_offset; break; case 2: base = 0xb0000;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_before_1mo_1457942488_vga_update_memory_access.c
2
3
4
5
6
7
8
9
10
11
{ hwaddr base, offset, size; if (s->legacy_address_space == NULL) { return; } if (s->has_chain4_alias) { memory_region_del_subregion(s->legacy_address_space, &s->chain4_alias); object_unparent(OBJECT(&s->chain4_alias));
+ show +
12
13
14
15
16
17
18
19
s->has_chain4_alias = false; s->plane_updated = 0xf; } if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) == VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { offset = 0; switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) { case 0:
+ show +
20
21
22
23
24
25
26
27
28
29
base = 0xa0000; size = 0x20000; break; case 1: base = 0xa0000; size = 0x10000; offset = s->bank_offset; break; case 2: base = 0xb0000;

[qemu_CVE-2016-3710_1461653350_vbe_ioport_write_data.diff] vbe_ioport_write_data_OLD.c #1
vbe_fixup_regs(s); break; case VBE_DISPI_INDEX_BANK: - if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { - val &= (s->vbe_bank_mask >> 2); - } else { - val &= s->vbe_bank_mask; - } + val &= s->vbe_bank_mask; s->vbe_regs[s->vbe_index] = val; s->bank_offset = (val << 16); vga_update_memory_access(s);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_before_1mo_1457942488_vbe_ioport_write_data.c
16
17
18
19
20
21
22
23
24
25
s->vbe_regs[s->vbe_index] = val; } break; case VBE_DISPI_INDEX_XRES: case VBE_DISPI_INDEX_YRES: case VBE_DISPI_INDEX_BPP: case VBE_DISPI_INDEX_VIRT_WIDTH: case VBE_DISPI_INDEX_X_OFFSET: case VBE_DISPI_INDEX_Y_OFFSET: s->vbe_regs[s->vbe_index] = val;
+ show +
26
27
28
29
30
31
32
33
34
35
36
vbe_fixup_regs(s); break; case VBE_DISPI_INDEX_BANK: if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { val &= (s->vbe_bank_mask >> 2); } else { val &= s->vbe_bank_mask; } s->vbe_regs[s->vbe_index] = val; s->bank_offset = (val << 16); vga_update_memory_access(s);
+ show +
37
38
39
40
41
42
43
44
45
46
break; case VBE_DISPI_INDEX_ENABLE: if ((val & VBE_DISPI_ENABLED) && !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { int h, shift_control; s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0; s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0; s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0; s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED;

[qemu_CVE-2016-3710_1461653350_vga_mem_readb.diff] vga_mem_readb_OLD.c #1
if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { /* chain 4 mode : simplest access */ + assert(addr < s->vram_size); ret = s->vram_ptr[addr]; } else if (s->gr[VGA_GFX_MODE] & 0x10) { /* odd/even mode (aka text mode mapping) */ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); - ret = s->vram_ptr[((addr & ~1) << 1) | plane]; + addr = ((addr & ~1) << 1) | plane; + if (addr >= s->vram_size) { + return 0xff; + } + ret = s->vram_ptr[addr]; } else { /* standard VGA latched access */ + if (addr * sizeof(uint32_t) >= s->vram_size) { + return 0xff; + } s->latch = ((uint32_t *)s->vram_ptr)[addr]; if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_before_1mo_1457942488_vga_mem_readb.c
20
21
22
23
24
25
26
27
28
29
return 0xff; break; default: case 3: addr -= 0x18000; if (addr >= 0x8000) return 0xff; break; }
+ show +
30
31
32
33
34
35
36
37
38
39
40
41
if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { /* chain 4 mode : simplest access */ ret = s->vram_ptr[addr]; } else if (s->gr[VGA_GFX_MODE] & 0x10) { /* odd/even mode (aka text mode mapping) */ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); ret = s->vram_ptr[((addr & ~1) << 1) | plane]; } else { /* standard VGA latched access */ s->latch = ((uint32_t *)s->vram_ptr)[addr]; if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
+ show +
42
43
44
45
46
47
48
49
50
51
/* read mode 0 */ plane = s->gr[VGA_GFX_PLANE_READ]; ret = GET_PLANE(s->latch, plane); } else { /* read mode 1 */ ret = (s->latch ^ mask16[s->gr[VGA_GFX_COMPARE_VALUE]]) & mask16[s->gr[VGA_GFX_COMPARE_MASK]]; ret |= ret >> 16; ret |= ret >> 8; ret = (~ret) & 0xff;

[qemu_CVE-2016-3710_1461653350_vga_mem_writeb.diff] vga_mem_writeb_OLD.c #1
plane = addr & 3; mask = (1 << plane); if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { + assert(addr < s->vram_size); s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_before_1mo_1457942488_vga_mem_writeb.c
25
26
27
28
29
30
31
32
33
34
default: case 3: addr -= 0x18000; if (addr >= 0x8000) return; break; } if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { /* chain 4 mode : simplest access */
+ show +
35
36
37
38
39
40
plane = addr & 3; mask = (1 << plane); if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
+ show +
41
42
43
44
45
46
47
48
49
50
#endif s->plane_updated |= mask; /* only used to detect font change */ memory_region_set_dirty(&s->vram, addr, 1); } } else if (s->gr[VGA_GFX_MODE] & 0x10) { /* odd/even mode (aka text mode mapping) */ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); mask = (1 << plane); if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { addr = ((addr & ~1) << 1) | plane;

[qemu_CVE-2016-3710_1461653350_vga_mem_writeb.diff] vga_mem_writeb_OLD.c #2
mask = (1 << plane); if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { addr = ((addr & ~1) << 1) | plane; + if (addr >= s->vram_size) { + return; + } s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_before_1mo_1457942488_vga_mem_writeb.c
38
39
40
41
42
43
44
45
46
47
s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); #endif s->plane_updated |= mask; /* only used to detect font change */ memory_region_set_dirty(&s->vram, addr, 1); } } else if (s->gr[VGA_GFX_MODE] & 0x10) { /* odd/even mode (aka text mode mapping) */ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
+ show +
48
49
50
51
52
53
mask = (1 << plane); if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { addr = ((addr & ~1) << 1) | plane; s->vram_ptr[addr] = val; #ifdef DEBUG_VGA_MEM printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
+ show +
54
55
56
57
58
59
60
61
62
63
#endif s->plane_updated |= mask; /* only used to detect font change */ memory_region_set_dirty(&s->vram, addr, 1); } } else { /* standard VGA latched access */ write_mode = s->gr[VGA_GFX_MODE] & 3; switch(write_mode) { default: case 0:

[qemu_CVE-2016-3710_1461653350_vga_mem_writeb.diff] vga_mem_writeb_OLD.c #3
mask = s->sr[VGA_SEQ_PLANE_WRITE]; s->plane_updated |= mask; /* only used to detect font change */ write_mask = mask16[mask]; + if (addr * sizeof(uint32_t) >= s->vram_size) { + return; + } ((uint32_t *)s->vram_ptr)[addr] = (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | (val & write_mask);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3710_before_1mo_1457942488_vga_mem_writeb.c
111
112
113
114
115
116
117
118
119
120
break; } /* apply bit mask */ bit_mask |= bit_mask << 8; bit_mask |= bit_mask << 16; val = (val & bit_mask) | (s->latch & ~bit_mask); do_write: /* mask data according to sr[2] */
+ show +
121
122
123
124
125
126
mask = s->sr[VGA_SEQ_PLANE_WRITE]; s->plane_updated |= mask; /* only used to detect font change */ write_mask = mask16[mask]; ((uint32_t *)s->vram_ptr)[addr] = (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | (val & write_mask);
+ show +
127
128
129
130
131
132
133
#ifdef DEBUG_VGA_MEM printf("vga: latch: [0x" TARGET_FMT_plx "] mask=0x%08x val=0x%08x\n", addr * 4, write_mask, val); #endif memory_region_set_dirty(&s->vram, addr << 2, sizeof(uint32_t)); } }

[qemu_CVE-2017-13672_1507644802_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #2
s->get_resolution(s, &width, &height); disp_width = width; + region_start = (s->start_addr * 4); + region_end = region_start + s->line_offset * height; + if (region_end > s->vbe_size) { + /* wraps around (can happen with cirrus vbe modes) */ + region_start = 0; + region_end = s->vbe_size; + force_shadow = true; + } + shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_after_1mo_1466435958_vga_draw_graphic.c
14
15
16
17
18
19
20
21
22
23
bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s); if (!full_update) vga_sync_dirty_bitmap(s);
+ show +
24
25
26
27
28
29
s->get_resolution(s, &width, &height); disp_width = width; shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) {
+ show +
30
31
32
33
34
35
36
37
38
39
multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else { /* in CGA modes, multi_scan is ignored */ /* XXX: is it correct ? */ multi_scan = double_scan; } multi_run = multi_scan; if (shift_control != s->shift_control || double_scan != s->double_scan) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_draw_graphic.c
14
15
16
17
18
19
20
21
22
23
bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s); if (!full_update) vga_sync_dirty_bitmap(s);
+ show +
24
25
26
27
28
29
s->get_resolution(s, &width, &height); disp_width = width; shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) {
+ show +
30
31
32
33
34
35
36
37
38
39
multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else { /* in CGA modes, multi_scan is ignored */ /* XXX: is it correct ? */ multi_scan = double_scan; } multi_run = multi_scan; if (shift_control != s->shift_control || double_scan != s->double_scan) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13672_before_imd_1507644801_vga_draw_graphic.c
12
13
14
15
16
17
18
19
20
21
bool share_surface; pixman_format_code_t format; #ifdef HOST_WORDS_BIGENDIAN bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s);
+ show +
22
23
24
25
26
27
s->get_resolution(s, &width, &height); disp_width = width; shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) {
+ show +
28
29
30
31
32
33
34
35
36
37
multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else { /* in CGA modes, multi_scan is ignored */ /* XXX: is it correct ? */ multi_scan = double_scan; } multi_run = multi_scan; if (shift_control != s->shift_control || double_scan != s->double_scan) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13673_before_imd_1498129456_vga_draw_graphic.c
12
13
14
15
16
17
18
19
20
21
bool share_surface; pixman_format_code_t format; #ifdef HOST_WORDS_BIGENDIAN bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s);
+ show +
22
23
24
25
26
27
s->get_resolution(s, &width, &height); disp_width = width; shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) {
+ show +
28
29
30
31
32
33
34
35
36
37
multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else { /* in CGA modes, multi_scan is ignored */ /* XXX: is it correct ? */ multi_scan = double_scan; } multi_run = multi_scan; if (shift_control != s->shift_control || double_scan != s->double_scan) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13673_after_imd_1503923346_vga_draw_graphic.c
12
13
14
15
16
17
18
19
20
21
bool share_surface; pixman_format_code_t format; #ifdef HOST_WORDS_BIGENDIAN bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s);
+ show +
22
23
24
25
26
27
s->get_resolution(s, &width, &height); disp_width = width; shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) {
+ show +
28
29
30
31
32
33
34
35
36
37
multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else { /* in CGA modes, multi_scan is ignored */ /* XXX: is it correct ? */ multi_scan = double_scan; } multi_run = multi_scan; if (shift_control != s->shift_control || double_scan != s->double_scan) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13673_before_1mo_1499438569_vga_draw_graphic.c
12
13
14
15
16
17
18
19
20
21
bool share_surface; pixman_format_code_t format; #ifdef HOST_WORDS_BIGENDIAN bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s);
+ show +
22
23
24
25
26
27
s->get_resolution(s, &width, &height); disp_width = width; shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) {
+ show +
28
29
30
31
32
33
34
35
36
37
multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else { /* in CGA modes, multi_scan is ignored */ /* XXX: is it correct ? */ multi_scan = double_scan; } multi_run = multi_scan; if (shift_control != s->shift_control || double_scan != s->double_scan) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-3712_after_6mo_1486561892_vga_draw_graphic.c
14
15
16
17
18
19
20
21
22
23
bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s); if (!full_update) vga_sync_dirty_bitmap(s);
+ show +
24
25
26
27
28
29
s->get_resolution(s, &width, &height); disp_width = width; shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) {
+ show +
30
31
32
33
34
35
36
37
38
39
multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else { /* in CGA modes, multi_scan is ignored */ /* XXX: is it correct ? */ multi_scan = double_scan; } multi_run = multi_scan; if (shift_control != s->shift_control || double_scan != s->double_scan) {

[qemu_CVE-2017-13672_1507644802_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #3
format = qemu_default_pixman_format(depth, !byteswap); if (format) { share_surface = dpy_gfx_check_format(s->con, format) - && !s->force_shadow; + && !s->force_shadow && !force_shadow; } else { share_surface = false; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_after_1mo_1466435958_vga_draw_graphic.c
53
54
55
56
57
58
59
60
61
62
} depth = s->get_bpp(s); /* * Check whether we can share the surface with the backend * or whether we need a shadow surface. We share native * endian surfaces for 15bpp and above and byteswapped * surfaces for 24bpp and above. */
+ show +
63
64
65
66
67
68
69
format = qemu_default_pixman_format(depth, !byteswap); if (format) { share_surface = dpy_gfx_check_format(s->con, format) && !s->force_shadow; } else { share_surface = false; }
+ show +
70
71
72
73
74
75
76
77
78
79
if (s->line_offset != s->last_line_offset || disp_width != s->last_width || height != s->last_height || s->last_depth != depth || s->last_byteswap != byteswap || share_surface != is_buffer_shared(surface)) { if (share_surface) { surface = qemu_create_displaysurface_from(disp_width, height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4));
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_draw_graphic.c
53
54
55
56
57
58
59
60
61
62
} depth = s->get_bpp(s); /* * Check whether we can share the surface with the backend * or whether we need a shadow surface. We share native * endian surfaces for 15bpp and above and byteswapped * surfaces for 24bpp and above. */
+ show +
63
64
65
66
67
68
69
format = qemu_default_pixman_format(depth, !byteswap); if (format) { share_surface = dpy_gfx_check_format(s->con, format) && !s->force_shadow; } else { share_surface = false; }
+ show +
70
71
72
73
74
75
76
77
78
79
if (s->line_offset != s->last_line_offset || disp_width != s->last_width || height != s->last_height || s->last_depth != depth || s->last_byteswap != byteswap || share_surface != is_buffer_shared(surface)) { if (share_surface) { surface = qemu_create_displaysurface_from(disp_width, height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13672_before_imd_1507644801_vga_draw_graphic.c
51
52
53
54
55
56
57
58
59
60
} depth = s->get_bpp(s); /* * Check whether we can share the surface with the backend * or whether we need a shadow surface. We share native * endian surfaces for 15bpp and above and byteswapped * surfaces for 24bpp and above. */
+ show +
61
62
63
64
65
66
67
format = qemu_default_pixman_format(depth, !byteswap); if (format) { share_surface = dpy_gfx_check_format(s->con, format) && !s->force_shadow; } else { share_surface = false; }
+ show +
68
69
70
71
72
73
74
75
76
77
if (s->line_offset != s->last_line_offset || disp_width != s->last_width || height != s->last_height || s->last_depth != depth || s->last_byteswap != byteswap || share_surface != is_buffer_shared(surface)) { if (share_surface) { surface = qemu_create_displaysurface_from(disp_width, height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13673_before_imd_1498129456_vga_draw_graphic.c
51
52
53
54
55
56
57
58
59
60
} depth = s->get_bpp(s); /* * Check whether we can share the surface with the backend * or whether we need a shadow surface. We share native * endian surfaces for 15bpp and above and byteswapped * surfaces for 24bpp and above. */
+ show +
61
62
63
64
65
66
67
format = qemu_default_pixman_format(depth, !byteswap); if (format) { share_surface = dpy_gfx_check_format(s->con, format) && !s->force_shadow; } else { share_surface = false; }
+ show +
68
69
70
71
72
73
74
75
76
77
if (s->line_offset != s->last_line_offset || disp_width != s->last_width || height != s->last_height || s->last_depth != depth || s->last_byteswap != byteswap || share_surface != is_buffer_shared(surface)) { if (share_surface) { surface = qemu_create_displaysurface_from(disp_width, height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4));
.\cloneFuncs\totalClone\Type-2\CVE-2017-13673_after_imd_1503923346_vga_draw_graphic.c
51
52
53
54
55
56
57
58
59
60
} depth = s->get_bpp(s); /* * Check whether we can share the surface with the backend * or whether we need a shadow surface. We share native * endian surfaces for 15bpp and above and byteswapped * surfaces for 24bpp and above. */
+ show +
61
62
63
64
65
66
67
format = qemu_default_pixman_format(depth, !byteswap); if (format) { share_surface = dpy_gfx_check_format(s->con, format) && !s->force_shadow; } else { share_surface = false; }
+ show +
68
69
70
71
72
73
74
75
76
77
if (s->line_offset != s->last_line_offset || disp_width != s->last_width || height != s->last_height || s->last_depth != depth || s->last_byteswap != byteswap || share_surface != is_buffer_shared(surface)) { if (share_surface) { surface = qemu_create_displaysurface_from(disp_width, height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4));
.\cloneFuncs\totalClone\Type-2\CVE-2017-13673_before_1mo_1499438569_vga_draw_graphic.c
51
52
53
54
55
56
57
58
59
60
} depth = s->get_bpp(s); /* * Check whether we can share the surface with the backend * or whether we need a shadow surface. We share native * endian surfaces for 15bpp and above and byteswapped * surfaces for 24bpp and above. */
+ show +
61
62
63
64
65
66
67
format = qemu_default_pixman_format(depth, !byteswap); if (format) { share_surface = dpy_gfx_check_format(s->con, format) && !s->force_shadow; } else { share_surface = false; }
+ show +
68
69
70
71
72
73
74
75
76
77
if (s->line_offset != s->last_line_offset || disp_width != s->last_width || height != s->last_height || s->last_depth != depth || s->last_byteswap != byteswap || share_surface != is_buffer_shared(surface)) { if (share_surface) { surface = qemu_create_displaysurface_from(disp_width, height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4));
.\cloneFuncs\totalClone\Type-3\CVE-2016-3712_after_6mo_1486561892_vga_draw_graphic.c
53
54
55
56
57
58
59
60
61
62
} depth = s->get_bpp(s); /* * Check whether we can share the surface with the backend * or whether we need a shadow surface. We share native * endian surfaces for 15bpp and above and byteswapped * surfaces for 24bpp and above. */
+ show +
63
64
65
66
67
68
69
format = qemu_default_pixman_format(depth, !byteswap); if (format) { share_surface = dpy_gfx_check_format(s->con, format) && !s->force_shadow; } else { share_surface = false; }
+ show +
70
71
72
73
74
75
76
77
78
79
if (s->line_offset != s->last_line_offset || disp_width != s->last_width || height != s->last_height || s->last_depth != depth || s->last_byteswap != byteswap || share_surface != is_buffer_shared(surface)) { if (share_surface) { surface = qemu_create_displaysurface_from(disp_width, height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4));

[qemu_CVE-2018-5683_1515677244_vga_draw_text.diff] vga_draw_text_OLD.c #1
cx_min = width; cx_max = -1; for(cx = 0; cx < width; cx++) { + if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) { + break; + } ch_attr = *(uint16_t *)src; if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) { if (cx < cx_min)
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_after_1mo_1466435958_vga_draw_text.c
94
95
96
97
98
99
100
101
102
103
} dest = surface_data(surface); linesize = surface_stride(surface); ch_attr_ptr = s->last_ch_attr; line = 0; offset = s->start_addr * 4; for(cy = 0; cy < height; cy++) { d1 = dest; src = s->vram_ptr + offset;
+ show +
104
105
106
107
108
109
cx_min = width; cx_max = -1; for(cx = 0; cx < width; cx++) { ch_attr = *(uint16_t *)src; if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) { if (cx < cx_min)
+ show +
110
111
112
113
114
115
116
117
118
119
cx_min = cx; if (cx > cx_max) cx_max = cx; *ch_attr_ptr = ch_attr; #ifdef HOST_WORDS_BIGENDIAN ch = ch_attr >> 8; cattr = ch_attr & 0xff; #else ch = ch_attr & 0xff; cattr = ch_attr >> 8;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_draw_text.c
94
95
96
97
98
99
100
101
102
103
} dest = surface_data(surface); linesize = surface_stride(surface); ch_attr_ptr = s->last_ch_attr; line = 0; offset = s->start_addr * 4; for(cy = 0; cy < height; cy++) { d1 = dest; src = s->vram_ptr + offset;
+ show +
104
105
106
107
108
109
cx_min = width; cx_max = -1; for(cx = 0; cx < width; cx++) { ch_attr = *(uint16_t *)src; if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) { if (cx < cx_min)
+ show +
110
111
112
113
114
115
116
117
118
119
cx_min = cx; if (cx > cx_max) cx_max = cx; *ch_attr_ptr = ch_attr; #ifdef HOST_WORDS_BIGENDIAN ch = ch_attr >> 8; cattr = ch_attr & 0xff; #else ch = ch_attr & 0xff; cattr = ch_attr >> 8;

[qemu_CVE-2016-3712_1463475294_vga_common_reset.diff] vga_common_reset_OLD.c #1
{ s->sr_index = 0; memset(s->sr, '\0', sizeof(s->sr)); + memset(s->sr_vbe, '\0', sizeof(s->sr_vbe)); s->gr_index = 0; memset(s->gr, '\0', sizeof(s->gr)); s->ar_index = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_common_reset.c
1
void vga_common_reset(VGACommonState *s)
+ show +
2
3
4
5
6
7
{ s->sr_index = 0; memset(s->sr, '\0', sizeof(s->sr)); s->gr_index = 0; memset(s->gr, '\0', sizeof(s->gr)); s->ar_index = 0;
+ show +
8
9
10
11
12
13
14
15
16
17
memset(s->ar, '\0', sizeof(s->ar)); s->ar_flip_flop = 0; s->cr_index = 0; memset(s->cr, '\0', sizeof(s->cr)); s->msr = 0; s->fcr = 0; s->st00 = 0; s->st01 = 0; s->dac_state = 0; s->dac_sub_index = 0;

[qemu_CVE-2016-3712_1463475294_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #1
} if (shift_control == 0) { - if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { + if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { disp_width <<= 1; } } else if (shift_control == 1) { - if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { + if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { disp_width <<= 1; } }
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_draw_graphic.c
33
34
35
36
37
38
39
40
41
42
/* in CGA modes, multi_scan is ignored */ /* XXX: is it correct ? */ multi_scan = double_scan; } multi_run = multi_scan; if (shift_control != s->shift_control || double_scan != s->double_scan) { full_update = 1; s->shift_control = shift_control; s->double_scan = double_scan;
+ show +
43
44
45
46
47
48
49
50
51
52
53
} if (shift_control == 0) { if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { disp_width <<= 1; } } else if (shift_control == 1) { if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { disp_width <<= 1; } }
+ show +
54
55
56
57
58
59
60
61
62
63
depth = s->get_bpp(s); /* * Check whether we can share the surface with the backend * or whether we need a shadow surface. We share native * endian surfaces for 15bpp and above and byteswapped * surfaces for 24bpp and above. */ format = qemu_default_pixman_format(depth, !byteswap);

[qemu_CVE-2016-3712_1463475294_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #2
if (shift_control == 0) { full_update |= update_palette16(s); - if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { + if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { v = VGA_DRAW_LINE4D2; } else { v = VGA_DRAW_LINE4;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_draw_graphic.c
102
103
104
105
106
107
108
109
110
111
(full_update || surface_data(surface) != s->vram_ptr + (s->start_addr * 4))) { pixman_format_code_t format = qemu_default_pixman_format(depth, !byteswap); surface = qemu_create_displaysurface_from(disp_width, height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4)); dpy_gfx_replace_surface(s->con, surface); }
+ show +
112
113
114
115
116
117
if (shift_control == 0) { full_update |= update_palette16(s); if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { v = VGA_DRAW_LINE4D2; } else { v = VGA_DRAW_LINE4;
+ show +
118
119
120
121
122
123
124
125
126
127
} bits = 4; } else if (shift_control == 1) { full_update |= update_palette16(s); if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { v = VGA_DRAW_LINE2D2; } else { v = VGA_DRAW_LINE2; } bits = 4;

[qemu_CVE-2016-3712_1463475294_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #3
bits = 4; } else if (shift_control == 1) { full_update |= update_palette16(s); - if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { + if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { v = VGA_DRAW_LINE2D2; } else { v = VGA_DRAW_LINE2;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_draw_graphic.c
109
110
111
112
113
114
115
116
117
118
dpy_gfx_replace_surface(s->con, surface); } if (shift_control == 0) { full_update |= update_palette16(s); if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { v = VGA_DRAW_LINE4D2; } else { v = VGA_DRAW_LINE4; }
+ show +
119
120
121
122
123
124
125
bits = 4; } else if (shift_control == 1) { full_update |= update_palette16(s); if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { v = VGA_DRAW_LINE2D2; } else { v = VGA_DRAW_LINE2;
+ show +
126
127
128
129
130
131
132
133
134
135
} bits = 4; } else { switch(s->get_bpp(s)) { default: case 0: full_update |= update_palette256(s); v = VGA_DRAW_LINE8D2; bits = 4; break;

[qemu_CVE-2016-3712_1463475294_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #4
#if 0 printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], - s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]); + s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); #endif addr1 = (s->start_addr * 4); bwidth = (width * bits + 7) / 8;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_draw_graphic.c
156
157
158
159
160
161
162
163
164
165
break; } } vga_draw_line = vga_draw_line_table[v]; if (!is_buffer_shared(surface) && s->cursor_invalidate) { s->cursor_invalidate(s); } line_offset = s->line_offset;
+ show +
166
167
168
169
170
171
172
#if 0 printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]); #endif addr1 = (s->start_addr * 4); bwidth = (width * bits + 7) / 8;
+ show +
173
174
175
176
177
178
179
180
181
182
y_start = -1; page_min = -1; page_max = 0; d = surface_data(surface); linesize = surface_stride(surface); y1 = 0; for(y = 0; y < height; y++) { addr = addr1; if (!(s->cr[VGA_CRTC_MODE] & 1)) { int shift;

[qemu_CVE-2016-3712_1463475294_vga_draw_text.diff] vga_draw_text_OLD.c #1
int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); /* compute font data address (in plane 2) */ - v = s->sr[VGA_SEQ_CHARACTER_MAP]; + v = sr(s, VGA_SEQ_CHARACTER_MAP); offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2; if (offset != s->font_offsets[0]) { s->font_offsets[0] = offset;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_draw_text.c
2
3
4
5
6
7
8
9
10
11
{ DisplaySurface *surface = qemu_console_surface(s->con); int cx, cy, cheight, cw, ch, cattr, height, width, ch_attr; int cx_min, cx_max, linesize, x_incr, line, line1; uint32_t offset, fgcol, bgcol, v, cursor_offset; uint8_t *d1, *d, *src, *dest, *cursor_ptr; const uint8_t *font_ptr, *font_base[2]; int dup9, line_offset; uint32_t *palette; uint32_t *ch_attr_ptr;
+ show +
12
13
14
15
16
17
18
int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); /* compute font data address (in plane 2) */ v = s->sr[VGA_SEQ_CHARACTER_MAP]; offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2; if (offset != s->font_offsets[0]) { s->font_offsets[0] = offset;
+ show +
19
20
21
22
23
24
25
26
27
28
full_update = 1; } font_base[0] = s->vram_ptr + offset; offset = (((v >> 5) & 1) | ((v >> 1) & 6)) * 8192 * 4 + 2; font_base[1] = s->vram_ptr + offset; if (offset != s->font_offsets[1]) { s->font_offsets[1] = offset; full_update = 1; }

[qemu_CVE-2016-3712_1463475294_vga_get_text_resolution.diff] vga_get_text_resolution_OLD.c #1
/* total width & height */ cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; cwidth = 8; - if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { + if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { cwidth = 9; } - if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { + if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { cwidth = 16; /* NOTE: no 18 pixel wide */ } width = (s->cr[VGA_CRTC_H_DISP] + 1);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_get_text_resolution.c
1
2
3
4
5
static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight, int *pcwidth, int *pcheight) { int width, cwidth, height, cheight;
+ show +
6
7
8
9
10
11
12
13
14
15
/* total width & height */ cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; cwidth = 8; if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { cwidth = 9; } if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { cwidth = 16; /* NOTE: no 18 pixel wide */ } width = (s->cr[VGA_CRTC_H_DISP] + 1);
+ show +
16
17
18
19
20
21
22
23
24
25
if (s->cr[VGA_CRTC_V_TOTAL] == 100) { /* ugly hack for CGA 160x100x16 - explain me the logic */ height = 100; } else { height = s->cr[VGA_CRTC_V_DISP_END] | ((s->cr[VGA_CRTC_OVERFLOW] & 0x02) << 7) | ((s->cr[VGA_CRTC_OVERFLOW] & 0x40) << 3); height = (height + 1) / cheight; }

[qemu_CVE-2016-3712_1463475294_vga_precise_update_retrace_info.diff] vga_precise_update_retrace_info_OLD.c #1
((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8); vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf; - clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1; + clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1; clock_sel = (s->msr >> 2) & 3; dots = (s->msr & 1) ? 8 : 9;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_precise_update_retrace_info.c
22
23
24
25
26
27
28
29
30
31
htotal_chars = s->cr[VGA_CRTC_H_TOTAL] + 5; hretr_start_char = s->cr[VGA_CRTC_H_SYNC_START]; hretr_skew_chars = (s->cr[VGA_CRTC_H_SYNC_END] >> 5) & 3; hretr_end_char = s->cr[VGA_CRTC_H_SYNC_END] & 0x1f; vtotal_lines = (s->cr[VGA_CRTC_V_TOTAL] | (((s->cr[VGA_CRTC_OVERFLOW] & 1) | ((s->cr[VGA_CRTC_OVERFLOW] >> 4) & 2)) << 8)) + 2; vretr_start_line = s->cr[VGA_CRTC_V_SYNC_START] | ((((s->cr[VGA_CRTC_OVERFLOW] >> 2) & 1) |
+ show +
32
33
34
35
36
37
((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8); vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf; clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1; clock_sel = (s->msr >> 2) & 3; dots = (s->msr & 1) ? 8 : 9;
+ show +
38
39
40
41
42
43
44
45
46
47
chars_per_sec = clk_hz[clock_sel] / dots; htotal_chars <<= clocking_mode; r->total_chars = vtotal_lines * htotal_chars; if (r->freq) { r->ticks_per_char = NANOSECONDS_PER_SECOND / (r->total_chars * r->freq); } else { r->ticks_per_char = NANOSECONDS_PER_SECOND / chars_per_sec;
.\cloneFuncs\totalClone\Type-2\CVE-2016-3712_before_6mo_1441983103_vga_precise_update_retrace_info.c
22
23
24
25
26
27
28
29
30
31
htotal_chars = s->cr[VGA_CRTC_H_TOTAL] + 5; hretr_start_char = s->cr[VGA_CRTC_H_SYNC_START]; hretr_skew_chars = (s->cr[VGA_CRTC_H_SYNC_END] >> 5) & 3; hretr_end_char = s->cr[VGA_CRTC_H_SYNC_END] & 0x1f; vtotal_lines = (s->cr[VGA_CRTC_V_TOTAL] | (((s->cr[VGA_CRTC_OVERFLOW] & 1) | ((s->cr[VGA_CRTC_OVERFLOW] >> 4) & 2)) << 8)) + 2; vretr_start_line = s->cr[VGA_CRTC_V_SYNC_START] | ((((s->cr[VGA_CRTC_OVERFLOW] >> 2) & 1) |
+ show +
32
33
34
35
36
37
((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8); vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf; clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1; clock_sel = (s->msr >> 2) & 3; dots = (s->msr & 1) ? 8 : 9;
+ show +
38
39
40
41
42
43
44
45
46
47
chars_per_sec = clk_hz[clock_sel] / dots; htotal_chars <<= clocking_mode; r->total_chars = vtotal_lines * htotal_chars; if (r->freq) { r->ticks_per_char = get_ticks_per_sec() / (r->total_chars * r->freq); } else { r->ticks_per_char = get_ticks_per_sec() / chars_per_sec;

[qemu_CVE-2016-3712_1463475294_vga_update_text.diff] vga_update_text_OLD.c #1
/* total width & height */ cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; cw = 8; - if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { + if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { cw = 9; } - if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { + if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { cw = 16; /* NOTE: no 18 pixel wide */ } width = (s->cr[VGA_CRTC_H_DISP] + 1);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_1mo_1458576150_vga_update_text.c
22
23
24
25
26
27
28
29
30
31
if (s->last_width == -1) { s->last_width = 0; full_update = 1; } switch (graphic_mode) { case GMODE_TEXT: /* TODO: update palette */ full_update |= update_basic_params(s);
+ show +
32
33
34
35
36
37
38
39
40
41
/* total width & height */ cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; cw = 8; if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { cw = 9; } if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { cw = 16; /* NOTE: no 18 pixel wide */ } width = (s->cr[VGA_CRTC_H_DISP] + 1);
+ show +
42
43
44
45
46
47
48
49
50
51
if (s->cr[VGA_CRTC_V_TOTAL] == 100) { /* ugly hack for CGA 160x100x16 - explain me the logic */ height = 100; } else { height = s->cr[VGA_CRTC_V_DISP_END] | ((s->cr[VGA_CRTC_OVERFLOW] & 0x02) << 7) | ((s->cr[VGA_CRTC_OVERFLOW] & 0x40) << 3); height = (height + 1) / cheight; }
.\cloneFuncs\totalClone\Type-3\CVE-2016-3712_before_6mo_1441983103_vga_update_text.c
22
23
24
25
26
27
28
29
30
31
if (s->last_width == -1) { s->last_width = 0; full_update = 1; } switch (graphic_mode) { case GMODE_TEXT: /* TODO: update palette */ full_update |= update_basic_params(s);
+ show +
32
33
34
35
36
37
38
39
40
41
/* total width & height */ cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; cw = 8; if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { cw = 9; } if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { cw = 16; /* NOTE: no 18 pixel wide */ } width = (s->cr[VGA_CRTC_H_DISP] + 1);
+ show +
42
43
44
45
46
47
48
49
50
51
if (s->cr[VGA_CRTC_V_TOTAL] == 100) { /* ugly hack for CGA 160x100x16 - explain me the logic */ height = 100; } else { height = s->cr[VGA_CRTC_V_DISP_END] | ((s->cr[VGA_CRTC_OVERFLOW] & 0x02) << 7) | ((s->cr[VGA_CRTC_OVERFLOW] & 0x40) << 3); height = (height + 1) / cheight; }

[qemu_CVE-2016-3712_1463475294_vga_ioport_write.diff] vga_ioport_write_OLD.c #1
printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); #endif s->sr[s->sr_index] = val & sr_mask[s->sr_index]; - vbe_update_vgaregs(s); if (s->sr_index == VGA_SEQ_CLOCK_MODE) { s->update_retrace_info(s); }
.\cloneFuncs\totalClone\Type-1\CVE-2016-3712_before_imd_1461674886_vga_ioport_write.c
45
46
47
48
49
50
51
52
53
54
break; case VGA_MIS_W: s->msr = val & ~0x10; s->update_retrace_info(s); break; case VGA_SEQ_I: s->sr_index = val & 7; break; case VGA_SEQ_D: #ifdef DEBUG_VGA_REG
+ show +
55
56
57
58
59
60
61
printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); #endif s->sr[s->sr_index] = val & sr_mask[s->sr_index]; vbe_update_vgaregs(s); if (s->sr_index == VGA_SEQ_CLOCK_MODE) { s->update_retrace_info(s); }
+ show +
62
63
64
65
66
67
68
69
70
71
vga_update_memory_access(s); break; case VGA_PEL_IR: s->dac_read_index = val; s->dac_sub_index = 0; s->dac_state = 3; break; case VGA_PEL_IW: s->dac_write_index = val; s->dac_sub_index = 0;

[linux_CVE-2016-3857_1469732141_sys_oabi_epoll_wait.diff] sys_oabi_epoll_wait_OLD.c #1
mm_segment_t fs; long ret, err, i; - if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) + if (maxevents <= 0 || + maxevents > (INT_MAX/sizeof(*kbuf)) || + maxevents > (INT_MAX/sizeof(*events))) return -EINVAL; + if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) + return -EFAULT; kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); if (!kbuf) return -ENOMEM;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3857_before_1mo_1396807385_sys_oabi_epoll_wait.c
1
2
3
4
5
asmlinkage long sys_oabi_epoll_wait(int epfd, struct oabi_epoll_event __user *events, int maxevents, int timeout) { struct epoll_event *kbuf;
+ show +
6
7
8
9
10
11
12
13
mm_segment_t fs; long ret, err, i; if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) return -EINVAL; kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); if (!kbuf) return -ENOMEM;
+ show +
14
15
16
17
18
19
20
21
22
23
fs = get_fs(); set_fs(KERNEL_DS); ret = sys_epoll_wait(epfd, kbuf, maxevents, timeout); set_fs(fs); err = 0; for (i = 0; i < ret; i++) { __put_user_error(kbuf[i].events, &events->events, err); __put_user_error(kbuf[i].data, &events->data, err); events++; }

[linux_CVE-2016-3857_1469732141_sys_oabi_semtimedop.diff] sys_oabi_semtimedop_OLD.c #1
if (nsops < 1 || nsops > SEMOPM) return -EINVAL; + if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) + return -EFAULT; sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); if (!sops) return -ENOMEM;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3857_before_1mo_1396807385_sys_oabi_semtimedop.c
1
2
3
4
5
6
7
8
9
10
asmlinkage long sys_oabi_semtimedop(int semid, struct oabi_sembuf __user *tsops, unsigned nsops, const struct timespec __user *timeout) { struct sembuf *sops; struct timespec local_timeout; long err; int i;
+ show +
11
12
13
14
15
if (nsops < 1 || nsops > SEMOPM) return -EINVAL; sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); if (!sops) return -ENOMEM;
+ show +
16
17
18
19
20
21
22
23
24
25
err = 0; for (i = 0; i < nsops; i++) { __get_user_error(sops[i].sem_num, &tsops->sem_num, err); __get_user_error(sops[i].sem_op, &tsops->sem_op, err); __get_user_error(sops[i].sem_flg, &tsops->sem_flg, err); tsops++; } if (timeout) { /* copy this as well before changing domain protection */ err |= copy_from_user(&local_timeout, timeout, sizeof(*timeout));

[libtiff_CVE-2016-3945_1471291600_cvt_by_strip.diff] cvt_by_strip_OLD.c #1
uint32 row; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_before_1mo_1402198621_cvt_by_strip.c
1
2
3
4
5
6
static int cvt_by_strip( TIFF *in, TIFF *out ) { uint32* raster; /* retrieve RGBA image */ uint32 width, height; /* image width & height */
+ show +
7
8
9
10
11
12
uint32 row; uint32 *wrk_line; int ok = 1; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+ show +
13
14
15
16
17
18
19
20
21
22
if( !TIFFGetField(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip) ) { TIFFError(TIFFFileName(in), "Source image not in strips"); return (0); } TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); /* * Allocate strip buffer

[libtiff_CVE-2016-3945_1471291600_cvt_by_strip.diff] cvt_by_strip_OLD.c #2
/* * Allocate strip buffer */ - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); + rastersize = width * rowsperstrip * sizeof (uint32); + if (width != (rastersize / rowsperstrip) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_before_1mo_1402198621_cvt_by_strip.c
11
12
13
14
15
16
17
18
19
20
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); if( !TIFFGetField(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip) ) { TIFFError(TIFFFileName(in), "Source image not in strips"); return (0); } TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ show +
21
22
23
24
25
26
27
/* * Allocate strip buffer */ raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0);
+ show +
28
29
30
31
32
33
34
35
36
37
} /* * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0;

[libtiff_CVE-2016-3945_1471291600_cvt_by_strip.diff] cvt_by_strip_OLD.c #3
* Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + wrk_linesize = width * sizeof (uint32); + if (width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_before_1mo_1402198621_cvt_by_strip.c
21
22
23
24
25
26
27
28
29
30
/* * Allocate strip buffer */ raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); } /*
+ show +
31
32
33
34
35
36
37
* Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0;
+ show +
38
39
40
41
42
43
44
45
46
47
} /* * Loop over the strips. */ for( row = 0; ok && row < height; row += rowsperstrip ) { int rows_to_write, i_row; /* Read the strip into an RGBA array */

[libtiff_CVE-2016-3945_1471291600_cvt_by_tile.diff] cvt_by_tile_OLD.c #1
uint32 row, col; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_before_1mo_1402198621_cvt_by_tile.c
1
2
3
4
5
6
7
static int cvt_by_tile( TIFF *in, TIFF *out ) { uint32* raster; /* retrieve RGBA image */ uint32 width, height; /* image width & height */ uint32 tile_width, tile_height;
+ show +
8
9
10
11
12
13
uint32 row, col; uint32 *wrk_line; int ok = 1; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+ show +
14
15
16
17
18
19
20
21
22
23
if( !TIFFGetField(in, TIFFTAG_TILEWIDTH, &tile_width) || !TIFFGetField(in, TIFFTAG_TILELENGTH, &tile_height) ) { TIFFError(TIFFFileName(in), "Source image not tiled"); return (0); } TIFFSetField(out, TIFFTAG_TILEWIDTH, tile_width ); TIFFSetField(out, TIFFTAG_TILELENGTH, tile_height );

[libtiff_CVE-2016-3945_1471291600_cvt_by_tile.diff] cvt_by_tile_OLD.c #2
/* * Allocate tile buffer */ - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); + rastersize = tile_width * tile_height * sizeof (uint32); + if (tile_width != (rastersize / tile_height) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0);
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_before_1mo_1402198621_cvt_by_tile.c
14
15
16
17
18
19
20
21
22
23
if( !TIFFGetField(in, TIFFTAG_TILEWIDTH, &tile_width) || !TIFFGetField(in, TIFFTAG_TILELENGTH, &tile_height) ) { TIFFError(TIFFFileName(in), "Source image not tiled"); return (0); } TIFFSetField(out, TIFFTAG_TILEWIDTH, tile_width ); TIFFSetField(out, TIFFTAG_TILELENGTH, tile_height );
+ show +
24
25
26
27
28
29
30
/* * Allocate tile buffer */ raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0);
+ show +
31
32
33
34
35
36
37
38
39
40
} /* * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0;

[libtiff_CVE-2016-3945_1471291600_cvt_by_tile.diff] cvt_by_tile_OLD.c #3
* Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + wrk_linesize = tile_width * sizeof (uint32); + if (tile_width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_before_1mo_1402198621_cvt_by_tile.c
24
25
26
27
28
29
30
31
32
33
/* * Allocate tile buffer */ raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); } /*
+ show +
34
35
36
37
38
39
40
* Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0;
+ show +
41
42
43
44
45
46
47
48
49
50
} /* * Loop over the tiles. */ for( row = 0; ok && row < height; row += tile_height ) { for( col = 0; ok && col < width; col += tile_width ) { uint32 i_row;

[libtiff_CVE-2016-3990_1471294188_PixarLogEncode.diff] PixarLogEncode_OLD.c #1
} llen = sp->stride * td->td_imagewidth; + /* Check against the number of elements (of size uint16) of sp->tbuf */ + if( n > td->td_rowsperstrip * llen ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Too many input bytes provided"); + return 0; + } for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { switch (sp->user_datafmt) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-3990_before_1mo_1467126739_PixarLogEncode.c
22
23
24
25
26
27
28
29
30
31
break; case PIXARLOGDATAFMT_8BIT: case PIXARLOGDATAFMT_8BITABGR: n = cc; break; default: TIFFErrorExt(tif->tif_clientdata, module, "%d bit input not supported in PixarLog", td->td_bitspersample); return 0;
+ show +
32
33
34
35
36
37
} llen = sp->stride * td->td_imagewidth; for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { switch (sp->user_datafmt) {
+ show +
38
39
40
41
42
43
44
45
46
47
case PIXARLOGDATAFMT_FLOAT: horizontalDifferenceF((float *)bp, llen, sp->stride, up, sp->FromLT2); bp += llen * sizeof(float); break; case PIXARLOGDATAFMT_16BIT: horizontalDifference16((uint16 *)bp, llen, sp->stride, up, sp->From14); bp += llen * sizeof(uint16); break;

[libtiff_CVE-2016-3991_1471295140_loadImage.diff] loadImage_OLD.c #1
TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); tile_rowsize = TIFFTileRowSize(in); + if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) + { + TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); + exit(-1); + } buffsize = tlsize * ntiles; + if (tlsize != (buffsize / ntiles)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } - if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) { buffsize = ntiles * tl * tile_rowsize; + if (ntiles != (buffsize / tl / tile_rowsize)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } + #ifdef DEBUG2 TIFFError("loadImage", "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
.\cloneFuncs\totalClone\Type-1\CVE-2016-3991_before_1mo_1468272363_loadImage.c
201
202
203
204
205
206
207
208
209
210
spp, bps); return (-1); } if (TIFFIsTiled(in)) { readunit = TILE; tlsize = TIFFTileSize(in); ntiles = TIFFNumberOfTiles(in); TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw);
+ show +
211
212
213
214
215
216
217
218
219
220
221
222
TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); tile_rowsize = TIFFTileRowSize(in); buffsize = tlsize * ntiles; if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) { buffsize = ntiles * tl * tile_rowsize; #ifdef DEBUG2 TIFFError("loadImage", "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
+ show +
223
224
225
226
227
228
229
230
231
232
tlsize, (unsigned long)buffsize); #endif } if (dump->infile != NULL) dump_info (dump->infile, dump->format, "", "Tilesize: %u, Number of Tiles: %u, Tile row size: %u", tlsize, ntiles, tile_rowsize); } else

[libtiff_CVE-2016-3991_1471295140_loadImage.diff] loadImage_OLD.c #2
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); stsize = TIFFStripSize(in); nstrips = TIFFNumberOfStrips(in); + if (nstrips == 0 || stsize == 0) + { + TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); + exit(-1); + } + buffsize = stsize * nstrips; - + if (stsize != (buffsize / nstrips)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } + uint32 buffsize_check; + buffsize_check = ((length * width * spp * bps) + 7); + if (length != ((buffsize_check - 7) / width / spp / bps)) + { + TIFFError("loadImage", "Integer overflow detected."); + exit(-1); + } if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) { buffsize = ((length * width * spp * bps) + 7) / 8;
.\cloneFuncs\totalClone\Type-1\CVE-2016-3991_before_1mo_1468272363_loadImage.c
225
226
227
228
229
230
231
232
233
234
} if (dump->infile != NULL) dump_info (dump->infile, dump->format, "", "Tilesize: %u, Number of Tiles: %u, Tile row size: %u", tlsize, ntiles, tile_rowsize); } else { readunit = STRIP;
+ show +
235
236
237
238
239
240
241
242
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); stsize = TIFFStripSize(in); nstrips = TIFFNumberOfStrips(in); buffsize = stsize * nstrips; if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) { buffsize = ((length * width * spp * bps) + 7) / 8;
+ show +
243
244
245
246
247
248
249
250
251
252
#ifdef DEBUG2 TIFFError("loadImage", "Stripsize %u is too small, using imagelength * width * spp * bps / 8 = %lu", stsize, (unsigned long)buffsize); #endif } if (dump->infile != NULL) dump_info (dump->infile, dump->format, "", "Stripsize: %u, Number of Strips: %u, Rows per Strip: %u, Scanline size: %u",

[qemu_CVE-2016-4439_1463654370_esp_reg_write.diff] esp_reg_write_OLD.c #1
break; case ESP_FIFO: if (s->do_cmd) { - s->cmdbuf[s->cmdlen++] = val & 0xff; + if (s->cmdlen < TI_BUFSZ) { + s->cmdbuf[s->cmdlen++] = val & 0xff; + } else { + trace_esp_error_fifo_overrun(); + } } else if (s->ti_size == TI_BUFSZ - 1) { trace_esp_error_fifo_overrun(); } else {
.\cloneFuncs\totalClone\Type-1\CVE-2016-4439_before_1mo_1453832236_esp_reg_write.c
1
2
3
4
5
6
7
8
9
10
void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) { trace_esp_mem_writeb(saddr, s->wregs[saddr], val); switch (saddr) { case ESP_TCHI: s->tchi_written = true; /* fall through */ case ESP_TCLO: case ESP_TCMID: s->rregs[ESP_RSTAT] &= ~STAT_TC;
+ show +
11
12
13
14
15
16
17
break; case ESP_FIFO: if (s->do_cmd) { s->cmdbuf[s->cmdlen++] = val & 0xff; } else if (s->ti_size == TI_BUFSZ - 1) { trace_esp_error_fifo_overrun(); } else {
+ show +
18
19
20
21
22
23
24
25
26
27
s->ti_size++; s->ti_buf[s->ti_wptr++] = val & 0xff; } break; case ESP_CMD: s->rregs[saddr] = val; if (val & CMD_DMA) { s->dma = 1; /* Reload DMA counter. */ s->rregs[ESP_TCLO] = s->wregs[ESP_TCLO];

[linux_CVE-2017-1000407_1512152469_hardware_setup.diff] hardware_setup_OLD.c #1
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); - /* - * Allow direct access to the PC debug port (it is often used for I/O - * delays, but the vmexits simply slow things down). - */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); - clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
.\cloneFuncs\totalClone\Type-1\CVE-2016-4440_after_1mo_1466240465_hardware_setup.c
41
42
43
44
45
46
47
48
49
50
} vmx_vmread_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_vmread_bitmap) goto out6; vmx_vmwrite_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_vmwrite_bitmap) goto out7;
+ show +
51
52
53
54
55
56
57
58
59
60
61
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); /* * Allow direct access to the PC debug port (it is often used for I/O * delays, but the vmexits simply slow things down). */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+ show +
62
63
64
65
66
67
68
69
70
71
memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE); memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE); if (nested) memset(vmx_msr_bitmap_nested, 0xff, PAGE_SIZE); if (setup_vmcs_config(&vmcs_config) < 0) { r = -EIO; goto out8; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-4440_before_1mo_1458838052_hardware_setup.c
41
42
43
44
45
46
47
48
49
50
} vmx_vmread_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_vmread_bitmap) goto out6; vmx_vmwrite_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_vmwrite_bitmap) goto out7;
+ show +
51
52
53
54
55
56
57
58
59
60
61
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); /* * Allow direct access to the PC debug port (it is often used for I/O * delays, but the vmexits simply slow things down). */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+ show +
62
63
64
65
66
67
68
69
70
71
memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE); memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE); if (nested) memset(vmx_msr_bitmap_nested, 0xff, PAGE_SIZE); if (setup_vmcs_config(&vmcs_config) < 0) { r = -EIO; goto out8; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-1000407_before_imd_1511388240_hardware_setup.c
7
8
9
10
11
12
13
14
15
16
for (i = 0; i < ARRAY_SIZE(vmx_msr_index); ++i) kvm_define_shared_msr(i, vmx_msr_index[i]); for (i = 0; i < VMX_BITMAP_NR; i++) { vmx_bitmap[i] = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_bitmap[i]) goto out; } vmx_io_bitmap_b = (unsigned long *)__get_free_page(GFP_KERNEL);
+ show +
17
18
19
20
21
22
23
24
25
26
27
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); /* * Allow direct access to the PC debug port (it is often used for I/O * delays, but the vmexits simply slow things down). */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+ show +
28
29
30
31
32
33
34
35
36
37
memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE); memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE); if (setup_vmcs_config(&vmcs_config) < 0) { r = -EIO; goto out; } if (boot_cpu_has(X86_FEATURE_NX))
.\cloneFuncs\totalClone\Type-3\CVE-2016-4440_after_6mo_1481657700_hardware_setup.c
44
45
46
47
48
49
50
51
52
53
goto out6; vmx_vmread_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_vmread_bitmap) goto out7; vmx_vmwrite_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_vmwrite_bitmap) goto out8;
+ show +
54
55
56
57
58
59
60
61
62
63
64
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); /* * Allow direct access to the PC debug port (it is often used for I/O * delays, but the vmexits simply slow things down). */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+ show +
65
66
67
68
69
70
71
72
73
74
memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE); memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE); if (setup_vmcs_config(&vmcs_config) < 0) { r = -EIO; goto out9; } if (boot_cpu_has(X86_FEATURE_NX))
.\cloneFuncs\totalClone\Type-3\CVE-2016-4440_before_6mo_1447152936_hardware_setup.c
41
42
43
44
45
46
47
48
49
50
} vmx_vmread_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_vmread_bitmap) goto out6; vmx_vmwrite_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_vmwrite_bitmap) goto out7;
+ show +
51
52
53
54
55
56
57
58
59
60
61
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); /* * Allow direct access to the PC debug port (it is often used for I/O * delays, but the vmexits simply slow things down). */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+ show +
62
63
64
65
66
67
68
69
70
71
memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE); memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE); if (nested) memset(vmx_msr_bitmap_nested, 0xff, PAGE_SIZE); if (setup_vmcs_config(&vmcs_config) < 0) { r = -EIO; goto out8; }
.\cloneFuncs\totalClone\Type-3\CVE-2017-1000407_before_1mo_1508367739_hardware_setup.c
7
8
9
10
11
12
13
14
15
16
for (i = 0; i < ARRAY_SIZE(vmx_msr_index); ++i) kvm_define_shared_msr(i, vmx_msr_index[i]); for (i = 0; i < VMX_BITMAP_NR; i++) { vmx_bitmap[i] = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_bitmap[i]) goto out; } vmx_io_bitmap_b = (unsigned long *)__get_free_page(GFP_KERNEL);
+ show +
17
18
19
20
21
22
23
24
25
26
27
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); /* * Allow direct access to the PC debug port (it is often used for I/O * delays, but the vmexits simply slow things down). */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+ show +
28
29
30
31
32
33
34
35
36
37
memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE); memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE); if (setup_vmcs_config(&vmcs_config) < 0) { r = -EIO; goto out; } if (boot_cpu_has(X86_FEATURE_NX))
.\cloneFuncs\totalClone\Type-3\CVE-2017-1000407_before_6mo_1495093275_hardware_setup.c
7
8
9
10
11
12
13
14
15
16
for (i = 0; i < ARRAY_SIZE(vmx_msr_index); ++i) kvm_define_shared_msr(i, vmx_msr_index[i]); for (i = 0; i < VMX_BITMAP_NR; i++) { vmx_bitmap[i] = (unsigned long *)__get_free_page(GFP_KERNEL); if (!vmx_bitmap[i]) goto out; } vmx_io_bitmap_b = (unsigned long *)__get_free_page(GFP_KERNEL);
+ show +
17
18
19
20
21
22
23
24
25
26
27
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); /* * Allow direct access to the PC debug port (it is often used for I/O * delays, but the vmexits simply slow things down). */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+ show +
28
29
30
31
32
33
34
35
36
37
memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE); memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE); if (setup_vmcs_config(&vmcs_config) < 0) { r = -EIO; goto out; } if (boot_cpu_has(X86_FEATURE_NX))

[linux_CVE-2016-4440_1463582900_hardware_setup.diff] hardware_setup_OLD.c #1
set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ - if (enable_apicv) { - for (msr = 0x800; msr <= 0x8ff; msr++) - vmx_disable_intercept_msr_read_x2apic(msr); + for (msr = 0x800; msr <= 0x8ff; msr++) + vmx_disable_intercept_msr_read_x2apic(msr); - /* According SDM, in x2apic mode, the whole id reg is used. - * But in KVM, it only use the highest eight bits. Need to - * intercept it */ - vmx_enable_intercept_msr_read_x2apic(0x802); - /* TMCCT */ - vmx_enable_intercept_msr_read_x2apic(0x839); - /* TPR */ - vmx_disable_intercept_msr_write_x2apic(0x808); - /* EOI */ - vmx_disable_intercept_msr_write_x2apic(0x80b); - /* SELF-IPI */ - vmx_disable_intercept_msr_write_x2apic(0x83f); - } + /* According SDM, in x2apic mode, the whole id reg is used. But in + * KVM, it only use the highest eight bits. Need to intercept it */ + vmx_enable_intercept_msr_read_x2apic(0x802); + /* TMCCT */ + vmx_enable_intercept_msr_read_x2apic(0x839); + /* TPR */ + vmx_disable_intercept_msr_write_x2apic(0x808); + /* EOI */ + vmx_disable_intercept_msr_write_x2apic(0x80b); + /* SELF-IPI */ + vmx_disable_intercept_msr_write_x2apic(0x83f); if (enable_ept) { kvm_mmu_set_mask_ptes(0ull,
.\cloneFuncs\totalClone\Type-1\CVE-2016-4440_before_1mo_1458838052_hardware_setup.c
128
129
130
131
132
133
134
135
136
137
vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_CS, false); vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_ESP, false); vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_EIP, false); vmx_disable_intercept_for_msr(MSR_IA32_BNDCFGS, true); memcpy(vmx_msr_bitmap_legacy_x2apic, vmx_msr_bitmap_legacy, PAGE_SIZE); memcpy(vmx_msr_bitmap_longmode_x2apic, vmx_msr_bitmap_longmode, PAGE_SIZE);
+ show +
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ if (enable_apicv) { for (msr = 0x800; msr <= 0x8ff; msr++) vmx_disable_intercept_msr_read_x2apic(msr); /* According SDM, in x2apic mode, the whole id reg is used. * But in KVM, it only use the highest eight bits. Need to * intercept it */ vmx_enable_intercept_msr_read_x2apic(0x802); /* TMCCT */ vmx_enable_intercept_msr_read_x2apic(0x839); /* TPR */ vmx_disable_intercept_msr_write_x2apic(0x808); /* EOI */ vmx_disable_intercept_msr_write_x2apic(0x80b); /* SELF-IPI */ vmx_disable_intercept_msr_write_x2apic(0x83f); } if (enable_ept) { kvm_mmu_set_mask_ptes(0ull,
+ show +
160
161
162
163
164
165
166
167
168
169
(enable_ept_ad_bits) ? VMX_EPT_ACCESS_BIT : 0ull, (enable_ept_ad_bits) ? VMX_EPT_DIRTY_BIT : 0ull, 0ull, VMX_EPT_EXECUTABLE_MASK); ept_set_mmio_spte_mask(); kvm_enable_tdp(); } else kvm_disable_tdp(); update_ple_window_actual_max();
.\cloneFuncs\totalClone\Type-3\CVE-2016-4440_before_6mo_1447152936_hardware_setup.c
137
138
139
140
141
142
143
144
145
146
vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_CS, false); vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_ESP, false); vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_EIP, false); vmx_disable_intercept_for_msr(MSR_IA32_BNDCFGS, true); memcpy(vmx_msr_bitmap_legacy_x2apic, vmx_msr_bitmap_legacy, PAGE_SIZE); memcpy(vmx_msr_bitmap_longmode_x2apic, vmx_msr_bitmap_longmode, PAGE_SIZE);
+ show +
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ if (enable_apicv) { for (msr = 0x800; msr <= 0x8ff; msr++) vmx_disable_intercept_msr_read_x2apic(msr); /* According SDM, in x2apic mode, the whole id reg is used. * But in KVM, it only use the highest eight bits. Need to * intercept it */ vmx_enable_intercept_msr_read_x2apic(0x802); /* TMCCT */ vmx_enable_intercept_msr_read_x2apic(0x839); /* TPR */ vmx_disable_intercept_msr_write_x2apic(0x808); /* EOI */ vmx_disable_intercept_msr_write_x2apic(0x80b); /* SELF-IPI */ vmx_disable_intercept_msr_write_x2apic(0x83f); } if (enable_ept) { kvm_mmu_set_mask_ptes(0ull,
+ show +
169
170
171
172
173
174
175
176
177
178
(enable_ept_ad_bits) ? VMX_EPT_ACCESS_BIT : 0ull, (enable_ept_ad_bits) ? VMX_EPT_DIRTY_BIT : 0ull, 0ull, VMX_EPT_EXECUTABLE_MASK); ept_set_mmio_spte_mask(); kvm_enable_tdp(); } else kvm_disable_tdp(); update_ple_window_actual_max();

[linux_CVE-2016-4440_1463582900_vmx_set_msr_bitmap.diff] vmx_set_msr_bitmap_OLD.c #1
if (is_guest_mode(vcpu)) msr_bitmap = vmx_msr_bitmap_nested; - else if (vcpu->arch.apic_base & X2APIC_ENABLE) { + else if (cpu_has_secondary_exec_ctrls() && + (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) & + SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) { if (is_long_mode(vcpu)) msr_bitmap = vmx_msr_bitmap_longmode_x2apic; else
.\cloneFuncs\totalClone\Type-1\CVE-2016-4440_before_1mo_1458838052_vmx_set_msr_bitmap.c
1
2
3
4
static void vmx_set_msr_bitmap(struct kvm_vcpu *vcpu) { unsigned long *msr_bitmap;
+ show +
5
6
7
8
9
10
if (is_guest_mode(vcpu)) msr_bitmap = vmx_msr_bitmap_nested; else if (vcpu->arch.apic_base & X2APIC_ENABLE) { if (is_long_mode(vcpu)) msr_bitmap = vmx_msr_bitmap_longmode_x2apic; else
+ show +
11
12
13
14
15
16
17
18
19
20
msr_bitmap = vmx_msr_bitmap_legacy_x2apic; } else { if (is_long_mode(vcpu)) msr_bitmap = vmx_msr_bitmap_longmode; else msr_bitmap = vmx_msr_bitmap_legacy; } vmcs_write64(MSR_BITMAP, __pa(msr_bitmap)); }

[qemu_CVE-2016-4441_1463654371_get_cmd.diff] get_cmd_OLD.c #1
-static uint32_t get_cmd(ESPState *s, uint8_t *buf) +static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) { uint32_t dmalen; int target;
.\cloneFuncs\totalClone\Type-1\CVE-2016-4441_before_1mo_1457942488_get_cmd.c
+ show +
1
2
3
4
static uint32_t get_cmd(ESPState *s, uint8_t *buf) { uint32_t dmalen; int target;
+ show +
5
6
7
8
9
10
11
12
13
14
target = s->wregs[ESP_WBUSID] & BUSID_DID; if (s->dma) { dmalen = s->rregs[ESP_TCLO]; dmalen |= s->rregs[ESP_TCMID] << 8; dmalen |= s->rregs[ESP_TCHI] << 16; s->dma_memory_read(s->dma_opaque, buf, dmalen); } else { dmalen = s->ti_size; memcpy(buf, s->ti_buf, dmalen);

[qemu_CVE-2016-4441_1463654371_get_cmd.diff] get_cmd_OLD.c #2
dmalen = s->rregs[ESP_TCLO]; dmalen |= s->rregs[ESP_TCMID] << 8; dmalen |= s->rregs[ESP_TCHI] << 16; + if (dmalen > buflen) { + return 0; + } s->dma_memory_read(s->dma_opaque, buf, dmalen); } else { dmalen = s->ti_size;
.\cloneFuncs\totalClone\Type-1\CVE-2016-4441_before_1mo_1457942488_get_cmd.c
1
2
3
4
5
6
7
static uint32_t get_cmd(ESPState *s, uint8_t *buf) { uint32_t dmalen; int target; target = s->wregs[ESP_WBUSID] & BUSID_DID; if (s->dma) {
+ show +
8
9
10
11
12
13
dmalen = s->rregs[ESP_TCLO]; dmalen |= s->rregs[ESP_TCMID] << 8; dmalen |= s->rregs[ESP_TCHI] << 16; s->dma_memory_read(s->dma_opaque, buf, dmalen); } else { dmalen = s->ti_size;
+ show +
14
15
16
17
18
19
20
21
22
23
memcpy(buf, s->ti_buf, dmalen); buf[0] = buf[2] >> 5; } trace_esp_get_cmd(dmalen, target); s->ti_size = 0; s->ti_rptr = 0; s->ti_wptr = 0; if (s->current_req) {

[qemu_CVE-2016-4441_1463654371_handle_satn_stop.diff] handle_satn_stop_OLD.c #1
s->dma_cb = handle_satn_stop; return; } - s->cmdlen = get_cmd(s, s->cmdbuf); + s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); if (s->cmdlen) { trace_esp_handle_satn_stop(s->cmdlen); s->do_cmd = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2016-4441_before_1mo_1457942488_handle_satn_stop.c
1
2
3
static void handle_satn_stop(ESPState *s) { if (s->dma && !s->dma_enabled) {
+ show +
4
5
6
7
8
9
10
s->dma_cb = handle_satn_stop; return; } s->cmdlen = get_cmd(s, s->cmdbuf); if (s->cmdlen) { trace_esp_handle_satn_stop(s->cmdlen); s->do_cmd = 1;
+ show +
11
12
13
14
15
16
s->rregs[ESP_RSTAT] = STAT_TC | STAT_CD; s->rregs[ESP_RINTR] = INTR_BS | INTR_FC; s->rregs[ESP_RSEQ] = SEQ_CD; esp_raise_irq(s); } }

[qemu_CVE-2016-4454_1464592160_vmsvga_fifo_run.diff] vmsvga_fifo_run_OLD.c #1
len = vmsvga_fifo_length(s); while (len > 0) { /* May need to go back to the start of the command if incomplete */ - cmd_start = s->cmd->stop; + cmd_start = s->fifo_stop; switch (cmd = vmsvga_fifo_read(s)) { case SVGA_CMD_UPDATE:
.\cloneFuncs\totalClone\Type-1\CVE-2016-4454_before_1mo_1457942488_vmsvga_fifo_run.c
1
2
3
4
5
6
7
8
static void vmsvga_fifo_run(struct vmsvga_state_s *s) { uint32_t cmd, colour; int args, len; int x, y, dx, dy, width, height; struct vmsvga_cursor_definition_s cursor; uint32_t cmd_start;
+ show +
9
10
11
12
13
14
15
len = vmsvga_fifo_length(s); while (len > 0) { /* May need to go back to the start of the command if incomplete */ cmd_start = s->cmd->stop; switch (cmd = vmsvga_fifo_read(s)) { case SVGA_CMD_UPDATE:
+ show +
16
17
18
19
20
21
22
23
24
25
case SVGA_CMD_UPDATE_VERBOSE: len -= 5; if (len < 0) { goto rewind; } x = vmsvga_fifo_read(s); y = vmsvga_fifo_read(s); width = vmsvga_fifo_read(s); height = vmsvga_fifo_read(s);

[qemu_CVE-2016-4952_1464000485_pvscsi_ring_init_data.diff] pvscsi_ring_init_data_OLD.c #1
-static void +static int pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) { int i;
.\cloneFuncs\totalClone\Type-1\CVE-2016-4952_before_1mo_1457942488_pvscsi_ring_init_data.c
+ show +
1
2
3
4
static void pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) { int i;
+ show +
5
6
7
8
9
10
11
12
13
14
uint32_t txr_len_log2, rxr_len_log2; uint32_t req_ring_size, cmp_ring_size; m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; txr_len_log2 = pvscsi_log2(req_ring_size - 1); rxr_len_log2 = pvscsi_log2(cmp_ring_size - 1); m->txr_len_mask = MASK(txr_len_log2);

[qemu_CVE-2016-4952_1464000485_pvscsi_ring_init_data.diff] pvscsi_ring_init_data_OLD.c #2
uint32_t req_ring_size, cmp_ring_size; m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; + if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) + || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { + return -1; + } req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; txr_len_log2 = pvscsi_log2(req_ring_size - 1);
.\cloneFuncs\totalClone\Type-1\CVE-2016-4952_before_1mo_1457942488_pvscsi_ring_init_data.c
1
2
3
4
5
static void pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) { int i; uint32_t txr_len_log2, rxr_len_log2;
+ show +
6
7
8
9
10
11
uint32_t req_ring_size, cmp_ring_size; m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; txr_len_log2 = pvscsi_log2(req_ring_size - 1);
+ show +
12
13
14
15
16
17
18
19
20
21
rxr_len_log2 = pvscsi_log2(cmp_ring_size - 1); m->txr_len_mask = MASK(txr_len_log2); m->rxr_len_mask = MASK(rxr_len_log2); m->consumed_ptr = 0; m->filled_cmp_ptr = 0; for (i = 0; i < ri->reqRingNumPages; i++) { m->req_ring_pages_pa[i] = ri->reqRingPPNs[i] << VMW_PAGE_SHIFT;

[qemu_CVE-2016-4952_1464000485_pvscsi_ring_init_msg.diff] pvscsi_ring_init_msg_OLD.c #1
-static void +static int pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) { int i; uint32_t len_log2; uint32_t ring_size; + if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { + return -1; + } ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; len_log2 = pvscsi_log2(ring_size - 1);
.\cloneFuncs\totalClone\Type-1\CVE-2016-4952_before_1mo_1457942488_pvscsi_ring_init_msg.c
+ show +
1
2
3
4
5
6
7
8
9
static void pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) { int i; uint32_t len_log2; uint32_t ring_size; ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; len_log2 = pvscsi_log2(ring_size - 1);
+ show +
10
11
12
13
14
15
16
17
18
19
m->msg_len_mask = MASK(len_log2); m->filled_msg_ptr = 0; for (i = 0; i < ri->numPages; i++) { m->msg_ring_pages_pa[i] = ri->ringPPNs[i] << VMW_PAGE_SHIFT; } RS_SET_FIELD(m, msgProdIdx, 0);

[qemu_CVE-2016-5403_1468930033_virtqueue_pop.diff] virtqueue_pop_OLD.c #1
max = vq->vring.num; + if (vq->inuse >= vq->vring.num) { + error_report("Virtqueue size exceeded"); + exit(1); + } + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vq->last_avail_idx);
.\cloneFuncs\totalClone\Type-1\CVE-2016-5403_before_1mo_1463767461_virtqueue_pop.c
12
13
14
15
16
17
18
19
20
21
if (virtio_queue_empty(vq)) { return NULL; } /* Needed after virtio_queue_empty(), see comment in * virtqueue_num_heads(). */ smp_rmb(); /* When we start there are none of either input nor output. */ out_num = in_num = 0;
+ show +
22
23
24
25
26
max = vq->vring.num; i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vq->last_avail_idx);
+ show +
27
28
29
30
31
32
33
34
35
36
} vring_desc_read(vdev, &desc, desc_pa, i); if (desc.flags & VRING_DESC_F_INDIRECT) { if (desc.len % sizeof(VRingDesc)) { error_report("Invalid size for indirect buffer table"); exit(1); } /* loop over the indirect descriptor table */
.\cloneFuncs\totalClone\Type-4\CVE-2016-5403_before_6mo_1452247200_virtqueue_pop.c
3
4
5
6
7
8
9
10
11
12
unsigned int i, head, max; hwaddr desc_pa = vq->vring.desc; VirtIODevice *vdev = vq->vdev; if (!virtqueue_num_heads(vq, vq->last_avail_idx)) return 0; /* When we start there are none of either input nor output. */ elem->out_num = elem->in_num = 0;
+ show +
13
14
15
16
17
max = vq->vring.num; i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vq->last_avail_idx);
+ show +
18
19
20
21
22
23
24
25
26
27
} if (vring_desc_flags(vdev, desc_pa, i) & VRING_DESC_F_INDIRECT) { if (vring_desc_len(vdev, desc_pa, i) % sizeof(VRingDesc)) { error_report("Invalid size for indirect buffer table"); exit(1); } /* loop over the indirect descriptor table */ max = vring_desc_len(vdev, desc_pa, i) / sizeof(VRingDesc);

[linux_CVE-2016-5828_1466139514_start_thread.diff] start_thread_OLD.c #1
current->thread.regs = regs - 1; } +#ifdef CONFIG_PPC_TRANSACTIONAL_MEM + /* + * Clear any transactional state, we're exec()ing. The cause is + * not important as there will never be a recheckpoint so it's not + * user visible. + */ + if (MSR_TM_SUSPENDED(mfmsr())) + tm_reclaim_current(0); +#endif + memset(regs->gpr, 0, sizeof(regs->gpr)); regs->ctr = 0; regs->link = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2016-5828_before_1mo_1461936367_start_thread.c
3
4
5
6
7
8
9
10
11
12
#ifdef CONFIG_PPC64 unsigned long load_addr = regs->gpr[2]; /* saved by ELF_PLAT_INIT */ #endif /* * If we exec out of a kernel thread then thread.regs will not be * set. Do it now. */ if (!current->thread.regs) { struct pt_regs *regs = task_stack_page(current) + THREAD_SIZE;
+ show +
13
14
15
16
17
18
current->thread.regs = regs - 1; } memset(regs->gpr, 0, sizeof(regs->gpr)); regs->ctr = 0; regs->link = 0;
+ show +
19
20
21
22
23
24
25
26
27
28
regs->xer = 0; regs->ccr = 0; regs->gpr[1] = sp; /* * We have just cleared all the nonvolatile GPRs, so make * FULL_REGS(regs) return true. This is necessary to allow * ptrace to examine the thread immediately after exec. */ regs->trap &= ~1UL;

[libtiff_CVE-2016-587_1467371164_LogL16InitState.diff] LogL16InitState_OLD.c #1
assert(sp != NULL); assert(td->td_photometric == PHOTOMETRIC_LOGL); + if( td->td_samplesperpixel != 1 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Sorry, can not handle LogL image with %s=%d", + "Samples/pixel", td->td_samplesperpixel); + return 0; + } + /* for some reason, we can't do this in TIFFInitLogL16 */ if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN) sp->user_datafmt = LogL16GuessDataFmt(td);
.\cloneFuncs\totalClone\Type-1\CVE-2016-587_before_1mo_1434848949_LogL16InitState.c
1
2
3
4
5
6
7
static int LogL16InitState(TIFF* tif) { static const char module[] = "LogL16InitState"; TIFFDirectory *td = &tif->tif_dir; LogLuvState* sp = DecoderState(tif);
+ show +
8
9
10
11
12
13
assert(sp != NULL); assert(td->td_photometric == PHOTOMETRIC_LOGL); /* for some reason, we can't do this in TIFFInitLogL16 */ if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN) sp->user_datafmt = LogL16GuessDataFmt(td);
+ show +
14
15
16
17
18
19
20
21
22
23
switch (sp->user_datafmt) { case SGILOGDATAFMT_FLOAT: sp->pixel_size = sizeof (float); break; case SGILOGDATAFMT_16BIT: sp->pixel_size = sizeof (int16); break; case SGILOGDATAFMT_8BIT: sp->pixel_size = sizeof (uint8); break;

[linux_CVE-2016-6162_1467993153_udpv6_queue_rcv_skb.diff] udpv6_queue_rcv_skb_OLD.c #1
if (sk_filter(sk, skb)) goto drop; + if (unlikely(skb->len < sizeof(struct udphdr))) + goto drop; udp_csum_pull_header(skb); if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-6162_before_1mo_1464904363_udpv6_queue_rcv_skb.c
56
57
58
59
60
61
62
63
64
65
net_dbg_ratelimited("UDPLITE6: coverage %d too small, need min %d\n", UDP_SKB_CB(skb)->cscov, up->pcrlen); goto drop; } } if (rcu_access_pointer(sk->sk_filter) && udp_lib_checksum_complete(skb)) goto csum_error;
+ show +
66
67
68
69
70
if (sk_filter(sk, skb)) goto drop; udp_csum_pull_header(skb); if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
+ show +
71
72
73
74
75
76
77
78
79
80
__UDP6_INC_STATS(sock_net(sk), UDP_MIB_RCVBUFERRORS, is_udplite); goto drop; } skb_dst_drop(skb); bh_lock_sock(sk); rc = 0; if (!sock_owned_by_user(sk))

[linux_CVE-2016-6213_1477347919_propagate_umount.diff] propagate_umount_OLD.c #1
struct mount *mnt; LIST_HEAD(to_restore); LIST_HEAD(to_umount); + LIST_HEAD(visited); - list_for_each_entry(mnt, list, mnt_list) { + /* Find candidates for unmounting */ + list_for_each_entry_reverse(mnt, list, mnt_list) { struct mount *parent = mnt->mnt_parent; struct mount *m; + /* + * If this mount has already been visited it is known that it's + * entire peer group and all of their slaves in the propagation + * tree for the mountpoint has already been visited and there is + * no need to visit them again. + */ + if (!list_empty(&mnt->mnt_umounting)) + continue; + + list_add_tail(&mnt->mnt_umounting, &visited); for (m = propagation_next(parent, parent); m; m = propagation_next(m, parent)) { struct mount *child = __lookup_mnt(&m->mnt,
.\cloneFuncs\totalClone\Type-1\CVE-2016-6213_before_imd_1477343773_propagate_umount.c
1
2
int propagate_umount(struct list_head *list) {
+ show +
3
4
5
6
7
8
9
10
11
12
13
struct mount *mnt; LIST_HEAD(to_restore); LIST_HEAD(to_umount); list_for_each_entry(mnt, list, mnt_list) { struct mount *parent = mnt->mnt_parent; struct mount *m; for (m = propagation_next(parent, parent); m; m = propagation_next(m, parent)) { struct mount *child = __lookup_mnt(&m->mnt,
+ show +
14
15
16
17
18
19
20
21
22
23
mnt->mnt_mountpoint); if (!child) continue; /* Check the child and parents while progress is made */ while (__propagate_umount(child, &to_umount, &to_restore)) { /* Is the parent a umount candidate? */ child = child->mnt_parent; if (list_empty(&child->mnt_umounting))

[linux_CVE-2016-6213_1477347919_propagate_umount.diff] propagate_umount_OLD.c #2
if (!child) continue; + if (!list_empty(&child->mnt_umounting)) { + /* + * If the child has already been visited it is + * know that it's entire peer group and all of + * their slaves in the propgation tree for the + * mountpoint has already been visited and there + * is no need to visit this subtree again. + */ + m = skip_propagation_subtree(m, parent); + continue; + } else if (child->mnt.mnt_flags & MNT_UMOUNT) { + /* + * We have come accross an partially unmounted + * mount in list that has not been visited yet. + * Remember it has been visited and continue + * about our merry way. + */ + list_add_tail(&child->mnt_umounting, &visited); + continue; + } + /* Check the child and parents while progress is made */ while (__propagate_umount(child, &to_umount, &to_restore)) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-6213_before_imd_1477343773_propagate_umount.c
5
6
7
8
9
10
11
12
13
14
LIST_HEAD(to_umount); list_for_each_entry(mnt, list, mnt_list) { struct mount *parent = mnt->mnt_parent; struct mount *m; for (m = propagation_next(parent, parent); m; m = propagation_next(m, parent)) { struct mount *child = __lookup_mnt(&m->mnt, mnt->mnt_mountpoint);
+ show +
15
16
17
18
19
20
if (!child) continue; /* Check the child and parents while progress is made */ while (__propagate_umount(child, &to_umount, &to_restore)) {
+ show +
21
22
23
24
25
26
27
28
29
30
/* Is the parent a umount candidate? */ child = child->mnt_parent; if (list_empty(&child->mnt_umounting)) break; } } } umount_list(&to_umount, &to_restore); restore_mounts(&to_restore);

[openssl_CVE-2016-6302_1471882801_tls_decrypt_ticket.diff] tls_decrypt_ticket_OLD.c #1
HMAC_CTX *hctx = NULL; EVP_CIPHER_CTX *ctx; SSL_CTX *tctx = s->initial_ctx; - /* Need at least keyname + iv + some encrypted data */ - if (eticklen < 48) - return 2; + /* Initialize session ticket encryption and HMAC contexts */ hctx = HMAC_CTX_new(); if (hctx == NULL)
.\cloneFuncs\totalClone\Type-1\CVE-2016-6302_before_imd_1470416597_tls_decrypt_ticket.c
1
2
3
4
5
6
7
8
9
static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) { SSL_SESSION *sess; unsigned char *sdec; const unsigned char *p; int slen, mlen, renew_ticket = 0, ret = -1; unsigned char tick_hmac[EVP_MAX_MD_SIZE];
+ show +
10
11
12
13
14
15
16
17
18
HMAC_CTX *hctx = NULL; EVP_CIPHER_CTX *ctx; SSL_CTX *tctx = s->initial_ctx; /* Need at least keyname + iv + some encrypted data */ if (eticklen < 48) return 2; /* Initialize session ticket encryption and HMAC contexts */ hctx = HMAC_CTX_new(); if (hctx == NULL)
+ show +
19
20
21
22
23
24
25
26
27
28
return -2; ctx = EVP_CIPHER_CTX_new(); if (ctx == NULL) { ret = -2; goto err; } if (tctx->tlsext_ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, ctx, hctx, 0);
.\cloneFuncs\totalClone\Type-2\CVE-2016-6302_before_1mo_1467657148_tls_decrypt_ticket.c
1
2
3
4
5
6
7
8
9
static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) { SSL_SESSION *sess; unsigned char *sdec; const unsigned char *p; int slen, mlen, renew_ticket = 0, ret = -1; unsigned char tick_hmac[EVP_MAX_MD_SIZE];
+ show +
10
11
12
13
14
15
16
17
18
HMAC_CTX *hctx = NULL; EVP_CIPHER_CTX *ctx; SSL_CTX *tctx = s->initial_ctx; /* Need at least keyname + iv + some encrypted data */ if (eticklen < 48) return 2; /* Initialize session ticket encryption and HMAC contexts */ hctx = HMAC_CTX_new(); if (hctx == NULL)
+ show +
19
20
21
22
23
24
25
26
27
28
return -2; ctx = EVP_CIPHER_CTX_new(); if (ctx == NULL) { ret = -2; goto err; } if (tctx->tlsext_ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, ctx, hctx, 0);
.\cloneFuncs\totalClone\Type-3\CVE-2016-6302_before_6mo_1455899084_tls_decrypt_ticket.c
1
2
3
4
5
6
7
8
9
static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) { SSL_SESSION *sess; unsigned char *sdec; const unsigned char *p; int slen, mlen, renew_ticket = 0, ret = -1; unsigned char tick_hmac[EVP_MAX_MD_SIZE];
+ show +
10
11
12
13
14
15
16
17
18
HMAC_CTX *hctx = NULL; EVP_CIPHER_CTX *ctx; SSL_CTX *tctx = s->initial_ctx; /* Need at least keyname + iv + some encrypted data */ if (eticklen < 48) return 2; /* Initialize session ticket encryption and HMAC contexts */ hctx = HMAC_CTX_new(); if (hctx == NULL)
+ show +
19
20
21
22
23
24
25
26
27
28
return -2; ctx = EVP_CIPHER_CTX_new(); if (ctx == NULL) { ret = -2; goto err; } if (tctx->tlsext_ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, ctx, hctx, 0);

[openssl_CVE-2016-6302_1471882801_tls_decrypt_ticket.diff] tls_decrypt_ticket_OLD.c #2
if (mlen < 0) { goto err; } + /* Sanity check ticket length: must exceed keyname + IV + HMAC */ + if (eticklen <= + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { + ret = 2; + goto err; + } eticklen -= mlen; /* Check HMAC of encrypted ticket */ if (HMAC_Update(hctx, etick, eticklen) <= 0
.\cloneFuncs\totalClone\Type-1\CVE-2016-6302_before_imd_1470416597_tls_decrypt_ticket.c
49
50
51
52
53
54
55
56
57
58
etick + sizeof(tctx->tlsext_tick_key_name)) <= 0) { goto err; } } /* * Attempt to process session ticket, first conduct sanity and integrity * checks on ticket. */ mlen = HMAC_size(hctx);
+ show +
59
60
61
62
63
64
if (mlen < 0) { goto err; } eticklen -= mlen; /* Check HMAC of encrypted ticket */ if (HMAC_Update(hctx, etick, eticklen) <= 0
+ show +
65
66
67
68
69
70
71
72
73
74
|| HMAC_Final(hctx, tick_hmac, NULL) <= 0) { goto err; } HMAC_CTX_free(hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { EVP_CIPHER_CTX_free(ctx); return 2; } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */
.\cloneFuncs\totalClone\Type-2\CVE-2016-6302_before_1mo_1467657148_tls_decrypt_ticket.c
48
49
50
51
52
53
54
55
56
57
tctx->tlsext_tick_aes_key, etick + sizeof(tctx->tlsext_tick_key_name)) <= 0) { goto err; } } /* * Attempt to process session ticket, first conduct sanity and integrity * checks on ticket. */ mlen = HMAC_size(hctx);
+ show +
58
59
60
61
62
63
if (mlen < 0) { goto err; } eticklen -= mlen; /* Check HMAC of encrypted ticket */ if (HMAC_Update(hctx, etick, eticklen) <= 0
+ show +
64
65
66
67
68
69
70
71
72
73
|| HMAC_Final(hctx, tick_hmac, NULL) <= 0) { goto err; } HMAC_CTX_free(hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { EVP_CIPHER_CTX_free(ctx); return 2; } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */
.\cloneFuncs\totalClone\Type-3\CVE-2016-6302_before_6mo_1455899084_tls_decrypt_ticket.c
46
47
48
49
50
51
52
53
54
55
tctx->tlsext_tick_aes_key, etick + 16) <= 0) { goto err; } } /* * Attempt to process session ticket, first conduct sanity and integrity * checks on ticket. */ mlen = HMAC_size(hctx);
+ show +
56
57
58
59
60
61
if (mlen < 0) { goto err; } eticklen -= mlen; /* Check HMAC of encrypted ticket */ if (HMAC_Update(hctx, etick, eticklen) <= 0
+ show +
62
63
64
65
66
67
68
69
70
71
|| HMAC_Final(hctx, tick_hmac, NULL) <= 0) { goto err; } HMAC_CTX_free(hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { EVP_CIPHER_CTX_free(ctx); return 2; } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */

[openssl_CVE-2016-6303_1471645709_MDC2_Update.diff] MDC2_Update_OLD.c #1
i = c->num; if (i != 0) { - if (i + len < MDC2_BLOCK) { + if (len < MDC2_BLOCK - i) { /* partial block */ memcpy(&(c->data[i]), in, len); c->num += (int)len;
.\cloneFuncs\totalClone\Type-1\CVE-2016-6303_before_1mo_1450461443_MDC2_Update.c
1
2
3
4
int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len) { size_t i, j;
+ show +
5
6
7
8
9
10
i = c->num; if (i != 0) { if (i + len < MDC2_BLOCK) { /* partial block */ memcpy(&(c->data[i]), in, len); c->num += (int)len;
+ show +
11
12
13
14
15
16
17
18
19
20
return 1; } else { /* filled one */ j = MDC2_BLOCK - i; memcpy(&(c->data[i]), in, j); len -= j; in += j; c->num = 0; mdc2_body(c, &(c->data[0]), MDC2_BLOCK); }

[openssl_CVE-2016-6304_1473412125_ssl_scan_clienthello_tlsext.diff] ssl_scan_clienthello_tlsext_OLD.c #1
(&extension, &responder_id_list)) return 0; + /* + * We remove any OCSP_RESPIDs from a previous handshake + * to prevent unbounded memory growth - CVE-2016-6304 + */ + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, + OCSP_RESPID_free); + if (PACKET_remaining(&responder_id_list) > 0) { + s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); + if (s->tlsext_ocsp_ids == NULL) { + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + } else { + s->tlsext_ocsp_ids = NULL; + } + while (PACKET_remaining(&responder_id_list) > 0) { OCSP_RESPID *id; PACKET responder_id;
.\cloneFuncs\totalClone\Type-1\CVE-2016-6304_before_imd_1474379264_ssl_scan_clienthello_tlsext.c
236
237
238
239
240
241
242
243
244
245
} else if (type == TLSEXT_TYPE_status_request) { if (!PACKET_get_1(&extension, (unsigned int *)&s->tlsext_status_type)) { return 0; } #ifndef OPENSSL_NO_OCSP if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { const unsigned char *ext_data; PACKET responder_id_list, exts; if (!PACKET_get_length_prefixed_2
+ show +
246
247
248
249
250
251
(&extension, &responder_id_list)) return 0; while (PACKET_remaining(&responder_id_list) > 0) { OCSP_RESPID *id; PACKET responder_id;
+ show +
252
253
254
255
256
257
258
259
260
261
const unsigned char *id_data; if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) || PACKET_remaining(&responder_id) == 0) { return 0; } if (s->tlsext_ocsp_ids == NULL && (s->tlsext_ocsp_ids =

[openssl_CVE-2016-6304_1473412125_ssl_scan_clienthello_tlsext.diff] ssl_scan_clienthello_tlsext_OLD.c #2
return 0; } - if (s->tlsext_ocsp_ids == NULL - && (s->tlsext_ocsp_ids = - sk_OCSP_RESPID_new_null()) == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } - id_data = PACKET_data(&responder_id); id = d2i_OCSP_RESPID(NULL, &id_data, PACKET_remaining(&responder_id));
.\cloneFuncs\totalClone\Type-1\CVE-2016-6304_before_imd_1474379264_ssl_scan_clienthello_tlsext.c
247
248
249
250
251
252
253
254
255
256
return 0; while (PACKET_remaining(&responder_id_list) > 0) { OCSP_RESPID *id; PACKET responder_id; const unsigned char *id_data; if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) || PACKET_remaining(&responder_id) == 0) {
+ show +
257
258
259
260
261
262
263
264
265
266
267
268
269
return 0; } if (s->tlsext_ocsp_ids == NULL && (s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null()) == NULL) { *al = SSL_AD_INTERNAL_ERROR; return 0; } id_data = PACKET_data(&responder_id); id = d2i_OCSP_RESPID(NULL, &id_data, PACKET_remaining(&responder_id));
+ show +
270
271
272
273
274
275
276
277
278
279
if (id == NULL) return 0; if (id_data != PACKET_end(&responder_id)) { OCSP_RESPID_free(id); return 0; } if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { OCSP_RESPID_free(id);
.\cloneFuncs\totalClone\Type-2\CVE-2016-6304_before_6mo_1454872627_ssl_scan_clienthello_tlsext.c
244
245
246
247
248
249
250
251
252
253
return 0; while (PACKET_remaining(&responder_id_list) > 0) { OCSP_RESPID *id; PACKET responder_id; const unsigned char *id_data; if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) || PACKET_remaining(&responder_id) == 0) {
+ show +
254
255
256
257
258
259
260
261
262
263
264
265
266
return 0; } if (s->tlsext_ocsp_ids == NULL && (s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null()) == NULL) { *al = SSL_AD_INTERNAL_ERROR; return 0; } id_data = PACKET_data(&responder_id); id = d2i_OCSP_RESPID(NULL, &id_data, PACKET_remaining(&responder_id));
+ show +
267
268
269
270
271
272
273
274
275
276
if (id == NULL) return 0; if (id_data != PACKET_end(&responder_id)) { OCSP_RESPID_free(id); return 0; } if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { OCSP_RESPID_free(id);
.\cloneFuncs\totalClone\Type-3\CVE-2016-6304_before_1mo_1467657148_ssl_scan_clienthello_tlsext.c
246
247
248
249
250
251
252
253
254
255
return 0; while (PACKET_remaining(&responder_id_list) > 0) { OCSP_RESPID *id; PACKET responder_id; const unsigned char *id_data; if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) || PACKET_remaining(&responder_id) == 0) {
+ show +
256
257
258
259
260
261
262
263
264
265
266
267
268
return 0; } if (s->tlsext_ocsp_ids == NULL && (s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null()) == NULL) { *al = SSL_AD_INTERNAL_ERROR; return 0; } id_data = PACKET_data(&responder_id); id = d2i_OCSP_RESPID(NULL, &id_data, PACKET_remaining(&responder_id));
+ show +
269
270
271
272
273
274
275
276
277
278
if (id == NULL) return 0; if (id_data != PACKET_end(&responder_id)) { OCSP_RESPID_free(id); return 0; } if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { OCSP_RESPID_free(id);

[openssl_CVE-2016-6305_1473539080_ssl3_read_bytes.diff] ssl3_read_bytes_OLD.c #1
memcpy(buf, &(rr->data[rr->off]), n); buf += n; - if (!peek) { + if (peek) { + /* Mark any zero length record as consumed CVE-2016-6305 */ + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); + } else { SSL3_RECORD_sub_length(rr, n); SSL3_RECORD_add_off(rr, n); if (SSL3_RECORD_get_length(rr) == 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-6305_before_imd_1474463251_ssl3_read_bytes.c
162
163
164
165
166
167
168
169
170
171
if (len <= 0) return (len); read_bytes = 0; do { if ((unsigned int)len - read_bytes > SSL3_RECORD_get_length(rr)) n = SSL3_RECORD_get_length(rr); else n = (unsigned int)len - read_bytes;
+ show +
172
173
174
175
176
177
memcpy(buf, &(rr->data[rr->off]), n); buf += n; if (!peek) { SSL3_RECORD_sub_length(rr, n); SSL3_RECORD_add_off(rr, n); if (SSL3_RECORD_get_length(rr) == 0) {
+ show +
178
179
180
181
182
183
184
185
186
187
s->rlayer.rstate = SSL_ST_READ_HEADER; SSL3_RECORD_set_off(rr, 0); SSL3_RECORD_set_read(rr); } } if (SSL3_RECORD_get_length(rr) == 0 || (peek && n == SSL3_RECORD_get_length(rr))) { curr_rec++; rr++; }
.\cloneFuncs\totalClone\Type-3\CVE-2016-6305_before_1mo_1469439417_ssl3_read_bytes.c
154
155
156
157
158
159
160
161
162
163
if (len <= 0) return (len); read_bytes = 0; do { if ((unsigned int)len - read_bytes > SSL3_RECORD_get_length(rr)) n = SSL3_RECORD_get_length(rr); else n = (unsigned int)len - read_bytes;
+ show +
164
165
166
167
168
169
memcpy(buf, &(rr->data[rr->off]), n); buf += n; if (!peek) { SSL3_RECORD_sub_length(rr, n); SSL3_RECORD_add_off(rr, n); if (SSL3_RECORD_get_length(rr) == 0) {
+ show +
170
171
172
173
174
175
176
177
178
179
s->rlayer.rstate = SSL_ST_READ_HEADER; SSL3_RECORD_set_off(rr, 0); SSL3_RECORD_set_read(rr); } } if (SSL3_RECORD_get_length(rr) == 0 || (peek && n == SSL3_RECORD_get_length(rr))) { curr_rec++; rr++; }

[openssl_CVE-2016-6307_1474282627_dtls1_preprocess_fragment.diff] dtls1_preprocess_fragment_OLD.c #1
frag_len = msg_hdr->frag_len; /* sanity checking */ - if ((frag_off + frag_len) > msg_len) { + if ((frag_off + frag_len) > msg_len + || msg_len > dtls1_max_handshake_message_len(s)) { SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE); return SSL_AD_ILLEGAL_PARAMETER; } if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */ /* - * msg_len is limited to 2^24, but is effectively checked against max - * above + * msg_len is limited to 2^24, but is effectively checked against + * dtls_max_handshake_message_len(s) above */ if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
.\cloneFuncs\totalClone\Type-1\CVE-2016-6307_before_1mo_1470416597_dtls1_preprocess_fragment.c
1
2
3
4
5
6
static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr) { size_t frag_off, frag_len, msg_len; msg_len = msg_hdr->msg_len; frag_off = msg_hdr->frag_off;
+ show +
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
frag_len = msg_hdr->frag_len; /* sanity checking */ if ((frag_off + frag_len) > msg_len) { SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE); return SSL_AD_ILLEGAL_PARAMETER; } if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */ /* * msg_len is limited to 2^24, but is effectively checked against max * above */ if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
+ show +
22
23
24
25
26
27
28
29
30
31
return SSL_AD_INTERNAL_ERROR; } s->s3->tmp.message_size = msg_len; s->d1->r_msg_hdr.msg_len = msg_len; s->s3->tmp.message_type = msg_hdr->type; s->d1->r_msg_hdr.type = msg_hdr->type; s->d1->r_msg_hdr.seq = msg_hdr->seq; } else if (msg_len != s->d1->r_msg_hdr.msg_len) { /*

[openssl_CVE-2016-6309_1474646291_read_state_machine.diff] read_state_machine_OLD.c #1
/* dtls_get_message already did this */ if (!SSL_IS_DTLS(s) && s->s3->tmp.message_size > 0 - && !BUF_MEM_grow_clean(s->init_buf, - (int)s->s3->tmp.message_size - + SSL3_HM_HEADER_LENGTH)) { + && !grow_init_buf(s, s->s3->tmp.message_size + + SSL3_HM_HEADER_LENGTH)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB); return SUB_STATE_ERROR;
.\cloneFuncs\totalClone\Type-1\CVE-2016-6309_before_imd_1472578278_read_state_machine.c
62
63
64
65
66
67
68
69
70
71
ossl_statem_set_error(s); return SUB_STATE_ERROR; } if (s->s3->tmp.message_size > max_message_size(s)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE); return SUB_STATE_ERROR; }
+ show +
72
73
74
75
76
77
78
79
80
/* dtls_get_message already did this */ if (!SSL_IS_DTLS(s) && s->s3->tmp.message_size > 0 && !BUF_MEM_grow_clean(s->init_buf, (int)s->s3->tmp.message_size + SSL3_HM_HEADER_LENGTH)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB); return SUB_STATE_ERROR;
+ show +
81
82
83
84
85
86
87
88
89
90
} st->read_state = READ_STATE_BODY; /* Fall through */ case READ_STATE_BODY: if (!SSL_IS_DTLS(s)) { /* We already got this above for DTLS */ ret = tls_get_message_body(s, &len); if (ret == 0) {

[linux_CVE-2016-6480_1470426250_ioctl_send_fib.diff] ioctl_send_fib_OLD.c #3
goto cleanup; } + /* Sanity check the second copy */ + if ((osize != le16_to_cpu(kfib->header.Size) + + sizeof(struct aac_fibhdr)) + || (size < le16_to_cpu(kfib->header.SenderSize))) { + retval = -EINVAL; + goto cleanup; + } + if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { aac_adapter_interrupt(dev); /*
.\cloneFuncs\totalClone\Type-1\CVE-2016-6480_after_1mo_1482703288_ioctl_send_fib.c
58
59
60
61
62
63
64
65
66
67
if (copy_from_user(kfib, arg, size)) { retval = -EFAULT; goto cleanup; } /* Sanity check the second copy */ if ((osize != le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr)) || (size < le16_to_cpu(kfib->header.SenderSize))) { retval = -EINVAL;
+ show +
68
69
70
71
72
73
goto cleanup; } if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { aac_adapter_interrupt(dev); /*
+ show +
74
75
76
77
78
79
80
81
82
83
* Since we didn't really send a fib, zero out the state to allow * cleanup code not to assert. */ kfib->header.XferState = 0; } else { retval = aac_fib_send(le16_to_cpu(kfib->header.Command), fibptr, le16_to_cpu(kfib->header.Size) , FsaNormal, 1, 1, NULL, NULL); if (retval) { goto cleanup;
.\cloneFuncs\totalClone\Type-1\CVE-2016-6480_before_1mo_1454540766_ioctl_send_fib.c
49
50
51
52
53
54
55
56
57
58
hw_fib = fibptr->hw_fib_va; hw_fib_pa = fibptr->hw_fib_pa; fibptr->hw_fib_va = kfib; fibptr->hw_fib_pa = daddr; memset(((char *)kfib) + dev->max_fib_size, 0, size - dev->max_fib_size); memcpy(kfib, hw_fib, dev->max_fib_size); } if (copy_from_user(kfib, arg, size)) { retval = -EFAULT;
+ show +
59
60
61
62
63
64
goto cleanup; } if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { aac_adapter_interrupt(dev); /*
+ show +
65
66
67
68
69
70
71
72
73
74
* Since we didn't really send a fib, zero out the state to allow * cleanup code not to assert. */ kfib->header.XferState = 0; } else { retval = aac_fib_send(le16_to_cpu(kfib->header.Command), fibptr, le16_to_cpu(kfib->header.Size) , FsaNormal, 1, 1, NULL, NULL); if (retval) { goto cleanup;

[linux_CVE-2016-6480_1470426250_ioctl_send_fib.diff] ioctl_send_fib_OLD.c #1
struct fib *fibptr; struct hw_fib * hw_fib = (struct hw_fib *)0; dma_addr_t hw_fib_pa = (dma_addr_t)0LL; - unsigned size; + unsigned int size, osize; int retval; if (dev->in_reset) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-6480_before_1mo_1454540766_ioctl_send_fib.c
1
2
3
static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) { struct hw_fib * kfib;
+ show +
4
5
6
7
8
9
10
struct fib *fibptr; struct hw_fib * hw_fib = (struct hw_fib *)0; dma_addr_t hw_fib_pa = (dma_addr_t)0LL; unsigned size; int retval; if (dev->in_reset) {
+ show +
11
12
13
14
15
16
17
18
19
20
return -EBUSY; } fibptr = aac_fib_alloc(dev); if(fibptr == NULL) { return -ENOMEM; } kfib = fibptr->hw_fib_va; /* * First copy in the header so that we can check the size field.

[linux_CVE-2016-6480_1470426250_ioctl_send_fib.diff] ioctl_send_fib_OLD.c #2
* will not overrun the buffer when we copy the memory. Return * an error if we would. */ - size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); + osize = size = le16_to_cpu(kfib->header.Size) + + sizeof(struct aac_fibhdr); if (size < le16_to_cpu(kfib->header.SenderSize)) size = le16_to_cpu(kfib->header.SenderSize); if (size > dev->max_fib_size) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-6480_before_1mo_1454540766_ioctl_send_fib.c
18
19
20
21
22
23
24
25
26
27
kfib = fibptr->hw_fib_va; /* * First copy in the header so that we can check the size field. */ if (copy_from_user((void *)kfib, arg, sizeof(struct aac_fibhdr))) { aac_fib_free(fibptr); return -EFAULT; } /* * Since we copy based on the fib header size, make sure that we
+ show +
28
29
30
31
32
33
34
* will not overrun the buffer when we copy the memory. Return * an error if we would. */ size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); if (size < le16_to_cpu(kfib->header.SenderSize)) size = le16_to_cpu(kfib->header.SenderSize); if (size > dev->max_fib_size) {
+ show +
35
36
37
38
39
40
41
42
43
44
dma_addr_t daddr; if (size > 2048) { retval = -EINVAL; goto cleanup; } kfib = pci_alloc_consistent(dev->pdev, size, &daddr); if (!kfib) { retval = -ENOMEM;

[linux_CVE-2016-7042_1477490514_proc_keys_show.diff] proc_keys_show_OLD.c #1
struct timespec now; unsigned long timo; key_ref_t key_ref, skey_ref; - char xbuf[12]; + char xbuf[16]; int rc; struct keyring_search_context ctx = {
.\cloneFuncs\totalClone\Type-1\CVE-2016-7042_before_1mo_1410885362_proc_keys_show.c
1
2
3
4
static int proc_keys_show(struct seq_file *m, void *v) { struct rb_node *_p = v; struct key *key = rb_entry(_p, struct key, serial_node);
+ show +
5
6
7
8
9
10
11
struct timespec now; unsigned long timo; key_ref_t key_ref, skey_ref; char xbuf[12]; int rc; struct keyring_search_context ctx = {
+ show +
12
13
14
15
16
17
18
19
20
21
.index_key.type = key->type, .index_key.description = key->description, .cred = current_cred(), .match_data.cmp = lookup_user_key_possessed, .match_data.raw_data = key, .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, .flags = KEYRING_SEARCH_NO_STATE_CHECK, }; key_ref = make_key_ref(key, 0);
.\cloneFuncs\totalClone\Type-2\CVE-2016-7042_before_6mo_1394819089_proc_keys_show.c
1
2
3
4
static int proc_keys_show(struct seq_file *m, void *v) { struct rb_node *_p = v; struct key *key = rb_entry(_p, struct key, serial_node);
+ show +
5
6
7
8
9
10
11
struct timespec now; unsigned long timo; key_ref_t key_ref, skey_ref; char xbuf[12]; int rc; struct keyring_search_context ctx = {
+ show +
12
13
14
15
16
17
18
19
20
21
.index_key.type = key->type, .index_key.description = key->description, .cred = current_cred(), .match = lookup_user_key_possessed, .match_data = key, .flags = (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_LOOKUP_DIRECT), }; key_ref = make_key_ref(key, 0);

[openssl_CVE-2018-0739_1521711593_asn1_item_embed_d2i.diff] asn1_item_embed_d2i_OLD.c #1
static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, - int tag, int aclass, char opt, ASN1_TLC *ctx) + int tag, int aclass, char opt, ASN1_TLC *ctx, + int depth) { const ASN1_TEMPLATE *tt, *errtt = NULL; const ASN1_EXTERN_FUNCS *ef;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_after_imd_1506564784_asn1_item_embed_d2i.c
+ show +
1
2
3
4
5
6
static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { const ASN1_TEMPLATE *tt, *errtt = NULL; const ASN1_EXTERN_FUNCS *ef;
+ show +
7
8
9
10
11
12
13
14
15
16
const ASN1_AUX *aux = it->funcs; ASN1_aux_cb *asn1_cb; const unsigned char *p = NULL, *q; unsigned char oclass; char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_before_1mo_1467757466_asn1_item_embed_d2i.c
+ show +
1
2
3
4
5
6
static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { const ASN1_TEMPLATE *tt, *errtt = NULL; const ASN1_EXTERN_FUNCS *ef;
+ show +
7
8
9
10
11
12
13
14
15
16
const ASN1_AUX *aux = it->funcs; ASN1_aux_cb *asn1_cb; const unsigned char *p = NULL, *q; unsigned char oclass; char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr;
.\cloneFuncs\totalClone\Type-3\CVE-2016-7053_before_6mo_1459370225_asn1_item_embed_d2i.c
+ show +
1
2
3
4
5
6
static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { const ASN1_TEMPLATE *tt, *errtt = NULL; const ASN1_EXTERN_FUNCS *ef;
+ show +
7
8
9
10
11
12
13
14
15
16
const ASN1_AUX *aux = it->funcs; ASN1_aux_cb *asn1_cb; const unsigned char *p = NULL, *q; unsigned char oclass; char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr;

[openssl_CVE-2016-7053_1476442303_asn1_item_embed_d2i.diff] asn1_item_embed_d2i_OLD.c #1
/* If field not present, try the next one */ if (ret == -1) continue; - /* - * Set the choice selector here to ensure that the value is - * correctly freed upon error. It may be partially initialized - * even if parsing failed. - */ - asn1_set_choice_selector(pval, i, it); /* If positive return, read OK, break loop */ if (ret > 0) break; - /* Otherwise must be an ASN1 parsing error */ + /* + * Must be an ASN1 parsing error. + * Free up any partial choice value + */ + asn1_template_free(pchptr, tt); errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_before_1mo_1467757466_asn1_item_embed_d2i.c
91
92
93
94
95
96
97
98
99
100
goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt); /* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
+ show +
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
/* If field not present, try the next one */ if (ret == -1) continue; /* * Set the choice selector here to ensure that the value is * correctly freed upon error. It may be partially initialized * even if parsing failed. */ asn1_set_choice_selector(pval, i, it); /* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */ errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
+ show +
117
118
119
120
121
122
123
124
125
126
} /* Did we fall off the end without reading anything? */ if (i == it->tcount) { /* If OPTIONAL, this is OK */ if (opt) { /* Free and zero it */ ASN1_item_ex_free(pval, it); return -1; }
.\cloneFuncs\totalClone\Type-3\CVE-2016-7053_before_6mo_1459370225_asn1_item_embed_d2i.c
91
92
93
94
95
96
97
98
99
100
goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt); /* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
+ show +
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
/* If field not present, try the next one */ if (ret == -1) continue; /* * Set the choice selector here to ensure that the value is * correctly freed upon error. It may be partially initialized * even if parsing failed. */ asn1_set_choice_selector(pval, i, it); /* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */ errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
+ show +
117
118
119
120
121
122
123
124
125
126
} /* Did we fall off the end without reading anything? */ if (i == it->tcount) { /* If OPTIONAL, this is OK */ if (opt) { /* Free and zero it */ ASN1_item_ex_free(pval, it); return -1; }

[openssl_CVE-2016-7053_1476442303_asn1_item_embed_d2i.diff] asn1_item_embed_d2i_OLD.c #2
goto err; } + asn1_set_choice_selector(pval, i, it); + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; *in = p;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_before_1mo_1467757466_asn1_item_embed_d2i.c
118
119
120
121
122
123
124
125
126
127
/* Did we fall off the end without reading anything? */ if (i == it->tcount) { /* If OPTIONAL, this is OK */ if (opt) { /* Free and zero it */ ASN1_item_ex_free(pval, it); return -1; } ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
+ show +
128
129
130
131
132
133
goto err; } if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; *in = p;
+ show +
134
135
136
137
138
139
140
141
142
143
return 1; case ASN1_ITYPE_NDEF_SEQUENCE: case ASN1_ITYPE_SEQUENCE: p = *in; tmplen = len; /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ if (tag == -1) { tag = V_ASN1_SEQUENCE;
.\cloneFuncs\totalClone\Type-3\CVE-2016-7053_before_6mo_1459370225_asn1_item_embed_d2i.c
118
119
120
121
122
123
124
125
126
127
/* Did we fall off the end without reading anything? */ if (i == it->tcount) { /* If OPTIONAL, this is OK */ if (opt) { /* Free and zero it */ ASN1_item_ex_free(pval, it); return -1; } ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
+ show +
128
129
130
131
132
133
goto err; } if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; *in = p;
+ show +
134
135
136
137
138
139
140
141
142
143
return 1; case ASN1_ITYPE_NDEF_SEQUENCE: case ASN1_ITYPE_SEQUENCE: p = *in; tmplen = len; /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ if (tag == -1) { tag = V_ASN1_SEQUENCE;

[openssl_CVE-2016-7054_1478265706_chacha20_poly1305_cipher.diff] chacha20_poly1305_cipher_OLD.c #1
memcpy(out, actx->tag, POLY1305_BLOCK_SIZE); } else { if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) { - memset(out, 0, plen); + memset(out - plen, 0, plen); return -1; } }
.\cloneFuncs\totalClone\Type-1\CVE-2016-7054_before_1mo_1462877168_chacha20_poly1305_cipher.c
94
95
96
97
98
99
100
101
102
103
temp[15] = (unsigned char)(actx->len.text>>56); Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE); } Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag : temp); actx->mac_inited = 0; if (in != NULL && len != plen) { /* tls mode */ if (ctx->encrypt) {
+ show +
104
105
106
107
108
109
110
memcpy(out, actx->tag, POLY1305_BLOCK_SIZE); } else { if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) { memset(out, 0, plen); return -1; } }
+ show +
111
112
113
114
115
116
117
118
} else if (!ctx->encrypt) { if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len)) return -1; } } return len; }

[openssl_CVE-2016-7055_1478453474_test_mont.diff] test_mont_OLD.c #1
return 0; } } + + /* Regression test for carry bug in mulx4x_mont */ + BN_hex2bn(&a, + "7878787878787878787878787878787878787878787878787878787878787878" + "7878787878787878787878787878787878787878787878787878787878787878" + "7878787878787878787878787878787878787878787878787878787878787878" + "7878787878787878787878787878787878787878787878787878787878787878"); + BN_hex2bn(&b, + "095D72C08C097BA488C5E439C655A192EAFB6380073D8C2664668EDDB4060744" + "E16E57FB4EDB9AE10A0CEFCDC28A894F689A128379DB279D48A2E20849D68593" + "9B7803BCF46CEBF5C533FB0DD35B080593DE5472E3FE5DB951B8BFF9B4CB8F03" + "9CC638A5EE8CDD703719F8000E6A9F63BEED5F2FCD52FF293EA05A251BB4AB81"); + BN_hex2bn(&n, + "D78AF684E71DB0C39CFF4E64FB9DB567132CB9C50CC98009FEB820B26F2DED9B" + "91B9B5E2B83AE0AE4EB4E0523CA726BFBE969B89FD754F674CE99118C3F2D1C5" + "D81FDC7C54E02B60262B241D53C040E99E45826ECA37A804668E690E1AFC1CA4" + "2C9A15D84D4954425F0B7642FC0BD9D7B24E2618D2DCC9B729D944BADACFDDAF"); + BN_MONT_CTX_set(mont, n, ctx); + BN_mod_mul_montgomery(c, a, b, mont, ctx); + BN_mod_mul_montgomery(d, b, a, mont, ctx); + if (BN_cmp(c, d)) { + fprintf(stderr, "Montgomery multiplication test failed:" + " a*b != b*a.\n"); + return 0; + } + BN_MONT_CTX_free(mont); BN_free(a); BN_free(b);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7055_before_1mo_1470708748_test_mont.c
56
57
58
59
60
61
62
63
64
65
BN_print(bp, &mont->N); BIO_puts(bp, " - "); } BN_print(bp, A); BIO_puts(bp, "\n"); } BN_mod_mul(d, a, b, n, ctx); BN_sub(d, d, A); if (!BN_is_zero(d)) { fprintf(stderr, "Montgomery multiplication test failed!\n");
+ show +
66
67
68
69
70
71
return 0; } } BN_MONT_CTX_free(mont); BN_free(a); BN_free(b);
+ show +
72
73
74
75
76
77
78
BN_free(c); BN_free(d); BN_free(A); BN_free(B); BN_free(n); return (1); }

[xen_CVE-2016-7093_1469203374_x86_emulate.diff] x86_emulate_OLD.c #1
#endif } - /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */ - if ( def_ad_bytes < sizeof(_regs.eip) ) - _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1; - /* Prefix bytes. */ for ( ; ; ) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-7093_before_imd_1472818823_x86_emulate.c
26
27
28
29
30
31
32
33
34
35
ea.mem.seg = x86_seg_ds; /* gcc may reject anon union initializer */ ctxt->retire.byte = 0; op_bytes = def_op_bytes = ad_bytes = def_ad_bytes = ctxt->addr_size/8; if ( op_bytes == 8 ) { op_bytes = def_op_bytes = 4; #ifndef __x86_64__ return X86EMUL_UNHANDLEABLE;
+ show +
36
37
38
39
40
41
42
43
44
45
#endif } /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */ if ( def_ad_bytes < sizeof(_regs.eip) ) _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1; /* Prefix bytes. */ for ( ; ; ) {
+ show +
46
47
48
49
50
51
52
53
54
55
switch ( b = insn_fetch_type(uint8_t) ) { case 0x66: /* operand-size override */ op_bytes = def_op_bytes ^ 6; if ( !vex.pfx ) vex.pfx = vex_66; break; case 0x67: /* address-size override */ ad_bytes = def_ad_bytes ^ (mode_64bit() ? 12 : 6); break;
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_1mo_1463652393_x86_emulate.c
25
26
27
28
29
30
31
32
33
34
ea.mem.seg = x86_seg_ds; /* gcc may reject anon union initializer */ ctxt->retire.byte = 0; op_bytes = def_op_bytes = ad_bytes = def_ad_bytes = ctxt->addr_size/8; if ( op_bytes == 8 ) { op_bytes = def_op_bytes = 4; #ifndef __x86_64__ return X86EMUL_UNHANDLEABLE;
+ show +
35
36
37
38
39
40
41
42
43
44
#endif } /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */ if ( def_ad_bytes < sizeof(_regs.eip) ) _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1; /* Prefix bytes. */ for ( ; ; ) {
+ show +
45
46
47
48
49
50
51
52
53
54
switch ( b = insn_fetch_type(uint8_t) ) { case 0x66: /* operand-size override */ op_bytes = def_op_bytes ^ 6; if ( !vex.pfx ) vex.pfx = vex_66; break; case 0x67: /* address-size override */ ad_bytes = def_ad_bytes ^ (mode_64bit() ? 12 : 6); break;

[xen_CVE-2016-7093_1469203374_x86_emulate.diff] x86_emulate_OLD.c #2
/* Commit shadow register state. */ _regs.eflags &= ~EFLG_RF; - switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) ) - { - uint16_t ip; - case 2: - ip = _regs.eip; - _regs.eip = ctxt->regs->eip; - *(uint16_t *)&_regs.eip = ip; - break; -#ifdef __x86_64__ - case 4: - _regs.rip = _regs._eip; - break; -#endif - } + /* Zero the upper 32 bits of %rip if not in long mode. */ + if ( def_ad_bytes < sizeof(_regs.eip) ) + _regs.eip = (uint32_t)_regs.eip; + *ctxt->regs = _regs; done:
.\cloneFuncs\totalClone\Type-1\CVE-2016-7093_before_imd_1472818823_x86_emulate.c
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
default: break; } no_writeback: /* Inject #DB if single-step tracing was enabled at instruction start. */ if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ show +
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
/* Commit shadow register state. */ _regs.eflags &= ~EFLG_RF; switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) ) { uint16_t ip; case 2: ip = _regs.eip; _regs.eip = ctxt->regs->eip; *(uint16_t *)&_regs.eip = ip; break; #ifdef __x86_64__ case 4: _regs.rip = _regs._eip; break; #endif } *ctxt->regs = _regs; done:
+ show +
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
_put_fpu(); put_stub(stub); return rc; ext_0f_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2); generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1);
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_1mo_1463652393_x86_emulate.c
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
default: break; } no_writeback: /* Inject #DB if single-step tracing was enabled at instruction start. */ if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ show +
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
/* Commit shadow register state. */ _regs.eflags &= ~EFLG_RF; switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) ) { uint16_t ip; case 2: ip = _regs.eip; _regs.eip = ctxt->regs->eip; *(uint16_t *)&_regs.eip = ip; break; #ifdef __x86_64__ case 4: _regs.rip = _regs._eip; break; #endif } *ctxt->regs = _regs; done:
+ show +
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
_put_fpu(); put_stub(stub); return rc; twobyte_insn: switch ( b ) { case 0x00: /* Grp6 */ fail_if((modrm_reg & 6) != 2); generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1);

[xen_CVE-2016-7094_1467331324_hvm_translate_linear_addr.diff] hvm_translate_linear_addr_OLD.c #1
struct sh_emulate_ctxt *sh_ctxt, unsigned long *paddr) { - struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); + const struct segment_register *reg; int okay; + /* + * Can arrive here with non-user segments. However, no such cirucmstance + * is part of a legitimate pagetable update, so fail the emulation. + */ + if ( !is_x86_user_segment(seg) ) + return X86EMUL_UNHANDLEABLE; + + reg = hvm_get_seg_reg(seg, sh_ctxt); + okay = hvm_virtual_to_linear_addr( seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7094_before_1mo_1462624865_hvm_translate_linear_addr.c
1
2
3
4
5
static int hvm_translate_linear_addr( enum x86_segment seg, unsigned long offset, unsigned int bytes, enum hvm_access_type access_type,
+ show +
6
7
8
9
10
11
12
13
struct sh_emulate_ctxt *sh_ctxt, unsigned long *paddr) { struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); int okay; okay = hvm_virtual_to_linear_addr( seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+ show +
14
15
16
17
18
19
20
21
22
23
if ( !okay ) { hvm_inject_hw_exception( (seg == x86_seg_ss) ? TRAP_stack_error : TRAP_gp_fault, 0); return X86EMUL_EXCEPTION; } return 0; }
.\cloneFuncs\totalClone\Type-3\CVE-2016-7094_before_6mo_1445942660_hvm_translate_linear_addr.c
1
2
3
4
5
static int hvm_translate_linear_addr( enum x86_segment seg, unsigned long offset, unsigned int bytes, enum hvm_access_type access_type,
+ show +
6
7
8
9
10
11
12
13
struct sh_emulate_ctxt *sh_ctxt, unsigned long *paddr) { struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); int okay; okay = hvm_virtual_to_linear_addr( seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+ show +
14
15
16
17
18
19
20
21
22
if ( !okay ) { hvm_inject_hw_exception(TRAP_gp_fault, 0); return X86EMUL_EXCEPTION; } return 0; }

[tcpdump_CVE-2016-7923_1436324935_arp_print.diff] arp_print_OLD.c #1
case ARPOP_REQUEST: ND_PRINT((ndo, "who-has %s", ipaddr_string(ndo, TPA(ap)))); - if (memcmp((const char *)ezero, (const char *)THA(ap), HRD_LEN(ap)) != 0) + if (isnonzero((const u_char *)THA(ap), HRD_LEN(ap))) ND_PRINT((ndo, " (%s)", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)))); ND_PRINT((ndo, " tell %s", ipaddr_string(ndo, SPA(ap))));
.\cloneFuncs\totalClone\Type-1\CVE-2016-7923_before_1mo_1427018775_arp_print.c
57
58
59
60
61
62
63
64
65
66
} } /* print operation */ ND_PRINT((ndo, "%s%s ", ndo->ndo_vflag ? ", " : "", tok2str(arpop_values, "Unknown (%u)", op))); switch (op) {
+ show +
67
68
69
70
71
72
case ARPOP_REQUEST: ND_PRINT((ndo, "who-has %s", ipaddr_string(ndo, TPA(ap)))); if (memcmp((const char *)ezero, (const char *)THA(ap), HRD_LEN(ap)) != 0) ND_PRINT((ndo, " (%s)", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)))); ND_PRINT((ndo, " tell %s", ipaddr_string(ndo, SPA(ap))));
+ show +
73
74
75
76
77
78
79
80
81
82
break; case ARPOP_REPLY: ND_PRINT((ndo, "%s is-at %s", ipaddr_string(ndo, SPA(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_REVREQUEST: ND_PRINT((ndo, "who-is %s tell %s",
.\cloneFuncs\totalClone\Type-2\CVE-2016-7923_before_6mo_1396597426_arp_print.c
57
58
59
60
61
62
63
64
65
66
} } /* print operation */ ND_PRINT((ndo, "%s%s ", ndo->ndo_vflag ? ", " : "", tok2str(arpop_values, "Unknown (%u)", op))); switch (op) {
+ show +
67
68
69
70
71
72
case ARPOP_REQUEST: ND_PRINT((ndo, "who-has %s", ipaddr_string(ndo, TPA(ap)))); if (memcmp((const char *)ezero, (const char *)THA(ap), HRD_LEN(ap)) != 0) ND_PRINT((ndo, " (%s)", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)))); ND_PRINT((ndo, " tell %s", ipaddr_string(ndo, SPA(ap))));
+ show +
73
74
75
76
77
78
79
80
81
82
break; case ARPOP_REPLY: ND_PRINT((ndo, "%s is-at %s", ipaddr_string(ndo, SPA(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_REVREQUEST: ND_PRINT((ndo, "who-is %s tell %s",

[tcpdump_CVE-2017-13013_1489686871_arp_print.diff] arp_print_OLD.c #1
break; } - if (!ND_TTEST2(*ar_tpa(ap), PROTO_LEN(ap))) { + if (!ND_TTEST2(*TPA(ap), PROTO_LEN(ap))) { ND_PRINT((ndo, "%s", tstr)); ND_DEFAULTPRINT((const u_char *)ap, length); return;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7923_before_1mo_1427018775_arp_print.c
20
21
22
23
24
25
26
27
28
29
switch(hrd) { case ARPHRD_ATM2225: atmarp_print(ndo, bp, length, caplen); return; case ARPHRD_FRELAY: linkaddr = LINKADDR_FRELAY; break; default: linkaddr = LINKADDR_ETHER;
+ show +
30
31
32
33
34
35
36
break; } if (!ND_TTEST2(*ar_tpa(ap), PROTO_LEN(ap))) { ND_PRINT((ndo, "%s", tstr)); ND_DEFAULTPRINT((const u_char *)ap, length); return;
+ show +
37
38
39
40
41
42
43
44
45
46
} if (!ndo->ndo_eflag) { ND_PRINT((ndo, "ARP, ")); } /* print hardware type/len and proto type/len */ if ((pro != ETHERTYPE_IP && pro != ETHERTYPE_TRAIL) || PROTO_LEN(ap) != 4 || HRD_LEN(ap) == 0 ||
.\cloneFuncs\totalClone\Type-1\CVE-2017-13013_before_imd_1436324935_arp_print.c
20
21
22
23
24
25
26
27
28
29
switch(hrd) { case ARPHRD_ATM2225: atmarp_print(ndo, bp, length, caplen); return; case ARPHRD_FRELAY: linkaddr = LINKADDR_FRELAY; break; default: linkaddr = LINKADDR_ETHER;
+ show +
30
31
32
33
34
35
36
break; } if (!ND_TTEST2(*ar_tpa(ap), PROTO_LEN(ap))) { ND_PRINT((ndo, "%s", tstr)); ND_DEFAULTPRINT((const u_char *)ap, length); return;
+ show +
37
38
39
40
41
42
43
44
45
46
} if (!ndo->ndo_eflag) { ND_PRINT((ndo, "ARP, ")); } /* print hardware type/len and proto type/len */ if ((pro != ETHERTYPE_IP && pro != ETHERTYPE_TRAIL) || PROTO_LEN(ap) != 4 || HRD_LEN(ap) == 0 ||
.\cloneFuncs\totalClone\Type-2\CVE-2016-7923_before_6mo_1396597426_arp_print.c
20
21
22
23
24
25
26
27
28
29
switch(hrd) { case ARPHRD_ATM2225: atmarp_print(ndo, bp, length, caplen); return; case ARPHRD_FRELAY: linkaddr = LINKADDR_FRELAY; break; default: linkaddr = LINKADDR_ETHER;
+ show +
30
31
32
33
34
35
36
break; } if (!ND_TTEST2(*ar_tpa(ap), PROTO_LEN(ap))) { ND_PRINT((ndo, "%s", tstr)); ND_DEFAULTPRINT((const u_char *)ap, length); return;
+ show +
37
38
39
40
41
42
43
44
45
46
} if (!ndo->ndo_eflag) { ND_PRINT((ndo, "ARP, ")); } /* print hardware type/len and proto type/len */ if ((pro != ETHERTYPE_IP && pro != ETHERTYPE_TRAIL) || PROTO_LEN(ap) != 4 || HRD_LEN(ap) == 0 ||

[tcpdump_CVE-2017-13013_1489686871_arp_print.diff] arp_print_OLD.c #3
break; case ARPOP_REVREPLY: - ND_PRINT((ndo, "%s at %s", - linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), - ipaddr_string(ndo, TPA(ap)))); + ND_PRINT((ndo, "%s at ", + linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)))); + tpaddr_print_ip(ndo, ap, pro); break; case ARPOP_INVREQUEST:
.\cloneFuncs\totalClone\Type-1\CVE-2016-7923_before_1mo_1427018775_arp_print.c
75
76
77
78
79
80
81
82
83
84
case ARPOP_REPLY: ND_PRINT((ndo, "%s is-at %s", ipaddr_string(ndo, SPA(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_REVREQUEST: ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap))));
+ show +
85
86
87
88
89
90
91
92
93
break; case ARPOP_REVREPLY: ND_PRINT((ndo, "%s at %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, TPA(ap)))); break; case ARPOP_INVREQUEST:
+ show +
94
95
96
97
98
99
100
101
102
103
ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_INVREPLY: ND_PRINT((ndo,"%s at %s", linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, SPA(ap)))); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13013_before_imd_1436324935_arp_print.c
75
76
77
78
79
80
81
82
83
84
case ARPOP_REPLY: ND_PRINT((ndo, "%s is-at %s", ipaddr_string(ndo, SPA(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_REVREQUEST: ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap))));
+ show +
85
86
87
88
89
90
91
92
93
break; case ARPOP_REVREPLY: ND_PRINT((ndo, "%s at %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, TPA(ap)))); break; case ARPOP_INVREQUEST:
+ show +
94
95
96
97
98
99
100
101
102
103
ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_INVREPLY: ND_PRINT((ndo,"%s at %s", linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, SPA(ap)))); break;
.\cloneFuncs\totalClone\Type-2\CVE-2016-7923_before_6mo_1396597426_arp_print.c
75
76
77
78
79
80
81
82
83
84
case ARPOP_REPLY: ND_PRINT((ndo, "%s is-at %s", ipaddr_string(ndo, SPA(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_REVREQUEST: ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap))));
+ show +
85
86
87
88
89
90
91
92
93
break; case ARPOP_REVREPLY: ND_PRINT((ndo, "%s at %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, TPA(ap)))); break; case ARPOP_INVREQUEST:
+ show +
94
95
96
97
98
99
100
101
102
103
ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_INVREPLY: ND_PRINT((ndo,"%s at %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, TPA(ap)))); break;

[tcpdump_CVE-2017-13013_1489686871_arp_print.diff] arp_print_OLD.c #4
break; case ARPOP_INVREPLY: - ND_PRINT((ndo,"%s at %s", - linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)), - ipaddr_string(ndo, SPA(ap)))); + ND_PRINT((ndo,"%s at ", + linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); + spaddr_print_ip(ndo, ap, pro); break; default:
.\cloneFuncs\totalClone\Type-1\CVE-2016-7923_before_1mo_1427018775_arp_print.c
87
88
89
90
91
92
93
94
95
96
case ARPOP_REVREPLY: ND_PRINT((ndo, "%s at %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, TPA(ap)))); break; case ARPOP_INVREQUEST: ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap))));
+ show +
97
98
99
100
101
102
103
104
105
break; case ARPOP_INVREPLY: ND_PRINT((ndo,"%s at %s", linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, SPA(ap)))); break; default:
+ show +
106
107
108
109
110
111
112
113
114
115
ND_DEFAULTPRINT((const u_char *)ap, caplen); return; } out: ND_PRINT((ndo, ", length %u", length)); return; trunc: ND_PRINT((ndo, "%s", tstr));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13013_before_imd_1436324935_arp_print.c
87
88
89
90
91
92
93
94
95
96
case ARPOP_REVREPLY: ND_PRINT((ndo, "%s at %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, TPA(ap)))); break; case ARPOP_INVREQUEST: ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap))));
+ show +
97
98
99
100
101
102
103
104
105
break; case ARPOP_INVREPLY: ND_PRINT((ndo,"%s at %s", linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)), ipaddr_string(ndo, SPA(ap)))); break; default:
+ show +
106
107
108
109
110
111
112
113
114
115
ND_DEFAULTPRINT((const u_char *)ap, caplen); return; } out: ND_PRINT((ndo, ", length %u", length)); return; trunc: ND_PRINT((ndo, "%s", tstr));

[tcpdump_CVE-2016-7925_1435950326_sl_if_print.diff] sl_if_print_OLD.c #1
return (caplen); } + caplen -= SLIP_HDRLEN; length -= SLIP_HDRLEN; ip = (const struct ip *)(p + SLIP_HDRLEN);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7925_before_1mo_1430094282_sl_if_print.c
1
2
3
4
5
6
7
8
9
10
u_int sl_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p) { register u_int caplen = h->caplen; register u_int length = h->len; register const struct ip *ip; if (caplen < SLIP_HDRLEN || length < SLIP_HDRLEN) { ND_PRINT((ndo, "%s", tstr));
+ show +
11
12
13
14
15
16
return (caplen); } length -= SLIP_HDRLEN; ip = (const struct ip *)(p + SLIP_HDRLEN);
+ show +
17
18
19
20
21
22
23
24
25
26
if (ndo->ndo_eflag) sliplink_print(ndo, p, ip, length); switch (IP_V(ip)) { case 4: ip_print(ndo, (const u_char *)ip, length); break; case 6: ip6_print(ndo, (const u_char *)ip, length);

[tcpdump_CVE-2016-7925_1435950326_sl_if_print.diff] sl_if_print_OLD.c #2
if (ndo->ndo_eflag) sliplink_print(ndo, p, ip, length); + if (caplen < 1 || length < 1) { + ND_PRINT((ndo, "%s", tstr)); + return (caplen + SLIP_HDRLEN); + } + switch (IP_V(ip)) { case 4: ip_print(ndo, (const u_char *)ip, length);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7925_before_1mo_1430094282_sl_if_print.c
8
9
10
11
12
13
14
15
16
17
if (caplen < SLIP_HDRLEN || length < SLIP_HDRLEN) { ND_PRINT((ndo, "%s", tstr)); return (caplen); } length -= SLIP_HDRLEN; ip = (const struct ip *)(p + SLIP_HDRLEN);
+ show +
18
19
20
21
22
23
if (ndo->ndo_eflag) sliplink_print(ndo, p, ip, length); switch (IP_V(ip)) { case 4: ip_print(ndo, (const u_char *)ip, length);
+ show +
24
25
26
27
28
29
30
31
32
33
break; case 6: ip6_print(ndo, (const u_char *)ip, length); break; default: ND_PRINT((ndo, "ip v%d", IP_V(ip))); } return (SLIP_HDRLEN); }

[tcpdump_CVE-2016-7926_1435965668_ethertype_print.diff] ethertype_print_OLD.c #1
return (1); case ETHERTYPE_ISO: - isoclns_print(ndo, p + 1, length - 1, length - 1); + if (length == 0 || caplen == 0) { + ND_PRINT((ndo, " [|osi]")); + return (1); + } + isoclns_print(ndo, p + 1, length - 1, caplen - 1); return(1); case ETHERTYPE_PPPOED:
.\cloneFuncs\totalClone\Type-1\CVE-2016-7926_before_imd_1435964054_ethertype_print.c
29
30
31
32
33
34
35
36
37
38
atalk_print(ndo, p, length); return (1); case ETHERTYPE_AARP: aarp_print(ndo, p, length); return (1); case ETHERTYPE_IPX: ND_PRINT((ndo, "(NOV-ETHII) ")); ipx_print(ndo, p, length);
+ show +
39
40
41
42
43
44
45
return (1); case ETHERTYPE_ISO: isoclns_print(ndo, p + 1, length - 1, length - 1); return(1); case ETHERTYPE_PPPOED:
+ show +
46
47
48
49
50
51
52
53
54
55
case ETHERTYPE_PPPOES: case ETHERTYPE_PPPOED2: case ETHERTYPE_PPPOES2: pppoe_print(ndo, p, length); return (1); case ETHERTYPE_EAPOL: eap_print(ndo, p, length); return (1);
.\cloneFuncs\totalClone\Type-3\CVE-2016-7926_before_1mo_1430094282_ethertype_print.c
28
29
30
31
32
33
34
35
36
37
atalk_print(ndo, p, length); return (1); case ETHERTYPE_AARP: aarp_print(ndo, p, length); return (1); case ETHERTYPE_IPX: ND_PRINT((ndo, "(NOV-ETHII) ")); ipx_print(ndo, p, length);
+ show +
38
39
40
41
42
43
44
return (1); case ETHERTYPE_ISO: isoclns_print(ndo, p + 1, length - 1, length - 1); return(1); case ETHERTYPE_PPPOED:
+ show +
45
46
47
48
49
50
51
52
53
54
case ETHERTYPE_PPPOES: case ETHERTYPE_PPPOED2: case ETHERTYPE_PPPOES2: pppoe_print(ndo, p, length); return (1); case ETHERTYPE_EAPOL: eap_print(ndo, p, length); return (1);
.\cloneFuncs\totalClone\Type-3\CVE-2016-7926_before_6mo_1412202731_ethertype_print.c
28
29
30
31
32
33
34
35
36
37
atalk_print(ndo, p, length); return (1); case ETHERTYPE_AARP: aarp_print(ndo, p, length); return (1); case ETHERTYPE_IPX: ND_PRINT((ndo, "(NOV-ETHII) ")); ipx_print(ndo, p, length);
+ show +
38
39
40
41
42
43
44
return (1); case ETHERTYPE_ISO: isoclns_print(ndo, p + 1, length - 1, length - 1); return(1); case ETHERTYPE_PPPOED:
+ show +
45
46
47
48
49
50
51
52
53
54
case ETHERTYPE_PPPOES: case ETHERTYPE_PPPOED2: case ETHERTYPE_PPPOES2: pppoe_print(ndo, p, length); return (1); case ETHERTYPE_EAPOL: eap_print(ndo, p, length); return (1);

[tcpdump_CVE-2016-7927_1435964496_ieee802_11_radio_print.diff] ieee802_11_radio_print_OLD.c #1
len = EXTRACT_LE_16BITS(&hdr->it_len); + /* + * If we don't have the entire radiotap header, just give up. + */ if (caplen < len) { ND_PRINT((ndo, "%s", tstr)); return caplen;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7927_before_imd_1435964054_ieee802_11_radio_print.c
20
21
22
23
24
25
26
27
28
29
int pad; u_int fcslen; if (caplen < sizeof(*hdr)) { ND_PRINT((ndo, "%s", tstr)); return caplen; } hdr = (const struct ieee80211_radiotap_header *)p;
+ show +
30
31
32
33
34
len = EXTRACT_LE_16BITS(&hdr->it_len); if (caplen < len) { ND_PRINT((ndo, "%s", tstr)); return caplen;
+ show +
35
36
37
38
39
40
41
42
43
44
} cpack_init(&cpacker, (const uint8_t *)hdr, len); /* align against header start */ cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */ for (last_presentp = &hdr->it_present; IS_EXTENDED(last_presentp) && (const u_char*)(last_presentp + 1) <= p + len; last_presentp++) cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */ /* are there more bitmap extensions than bytes in header? */
.\cloneFuncs\totalClone\Type-4\CVE-2016-7927_before_1mo_1430612373_ieee802_11_radio_print.c
24
25
26
27
28
29
30
31
32
33
u_int fcslen; struct radiotap_state state; if (caplen < sizeof(*hdr)) { ND_PRINT((ndo, "%s", tstr)); return caplen; } hdr = (const struct ieee80211_radiotap_header *)p;
+ show +
34
35
36
37
38
len = EXTRACT_LE_16BITS(&hdr->it_len); if (caplen < len) { ND_PRINT((ndo, "%s", tstr)); return caplen;
+ show +
39
40
41
42
43
44
45
46
47
48
} cpack_init(&cpacker, (const uint8_t *)hdr, len); /* align against header start */ cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */ for (last_presentp = &hdr->it_present; IS_EXTENDED(last_presentp) && (const u_char*)(last_presentp + 1) <= p + len; last_presentp++) cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */ /* are there more bitmap extensions than bytes in header? */
.\cloneFuncs\totalClone\Type-4\CVE-2016-7927_before_6mo_1404765852_ieee802_11_radio_print.c
24
25
26
27
28
29
30
31
32
33
u_int fcslen; struct radiotap_state state; if (caplen < sizeof(*hdr)) { ND_PRINT((ndo, "%s", tstr)); return caplen; } hdr = (struct ieee80211_radiotap_header *)p;
+ show +
34
35
36
37
38
len = EXTRACT_LE_16BITS(&hdr->it_len); if (caplen < len) { ND_PRINT((ndo, "%s", tstr)); return caplen;
+ show +
39
40
41
42
43
44
45
46
47
48
} cpack_init(&cpacker, (uint8_t *)hdr, len); /* align against header start */ cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */ for (last_presentp = &hdr->it_present; IS_EXTENDED(last_presentp) && (u_char*)(last_presentp + 1) <= p + len; last_presentp++) cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */ /* are there more bitmap extensions than bytes in header? */

[tcpdump_CVE-2016-7927_1435964496_ieee802_11_radio_print.diff] ieee802_11_radio_print_OLD.c #2
cpack_init(&cpacker, (const uint8_t *)hdr, len); /* align against header start */ cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */ for (last_presentp = &hdr->it_present; - IS_EXTENDED(last_presentp) && - (const u_char*)(last_presentp + 1) <= p + len; + (const u_char*)(last_presentp + 1) <= p + len && + IS_EXTENDED(last_presentp); last_presentp++) cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */ /* are there more bitmap extensions than bytes in header? */ - if (IS_EXTENDED(last_presentp)) { + if ((const u_char*)(last_presentp + 1) > p + len) { ND_PRINT((ndo, "%s", tstr)); return caplen; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-7927_before_imd_1435964054_ieee802_11_radio_print.c
26
27
28
29
30
31
32
33
34
35
} hdr = (const struct ieee80211_radiotap_header *)p; len = EXTRACT_LE_16BITS(&hdr->it_len); if (caplen < len) { ND_PRINT((ndo, "%s", tstr)); return caplen; }
+ show +
36
37
38
39
40
41
42
43
44
45
46
47
48
cpack_init(&cpacker, (const uint8_t *)hdr, len); /* align against header start */ cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */ for (last_presentp = &hdr->it_present; IS_EXTENDED(last_presentp) && (const u_char*)(last_presentp + 1) <= p + len; last_presentp++) cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */ /* are there more bitmap extensions than bytes in header? */ if (IS_EXTENDED(last_presentp)) { ND_PRINT((ndo, "%s", tstr)); return caplen; }
+ show +
49
50
51
52
53
54
55
56
57
58
/* * Start out at the beginning of the default radiotap namespace. */ bit0 = 0; vendor_namespace = 0; memset(vendor_oui, 0, 3); vendor_subnamespace = 0; skip_length = 0; /* Assume no flags */
.\cloneFuncs\totalClone\Type-4\CVE-2016-7927_before_1mo_1430612373_ieee802_11_radio_print.c
30
31
32
33
34
35
36
37
38
39
} hdr = (const struct ieee80211_radiotap_header *)p; len = EXTRACT_LE_16BITS(&hdr->it_len); if (caplen < len) { ND_PRINT((ndo, "%s", tstr)); return caplen; }
+ show +
40
41
42
43
44
45
46
47
48
49
50
51
52
cpack_init(&cpacker, (const uint8_t *)hdr, len); /* align against header start */ cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */ for (last_presentp = &hdr->it_present; IS_EXTENDED(last_presentp) && (const u_char*)(last_presentp + 1) <= p + len; last_presentp++) cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */ /* are there more bitmap extensions than bytes in header? */ if (IS_EXTENDED(last_presentp)) { ND_PRINT((ndo, "%s", tstr)); return caplen; }
+ show +
53
54
55
56
57
58
59
60
61
62
/* Assume no flags */ flags = 0; /* Assume no Atheros padding between 802.11 header and body */ pad = 0; /* Assume no FCS at end of frame */ fcslen = 0; for (bit0 = 0, presentp = &hdr->it_present; presentp <= last_presentp; presentp++, bit0 += 32) { presentflags = EXTRACT_LE_32BITS(presentp);

[tcpdump_CVE-2016-7929_1436831571_juniper_parse_header.diff] juniper_parse_header_OLD.c #1
tlv_len = *(tptr++); tlv_value = 0; - /* sanity check */ + /* sanity checks */ if (tlv_type == 0 || tlv_len == 0) break; + if (tlv_len+JUNIPER_EXT_TLV_OVERHEAD > jnx_ext_len) + goto trunc; if (ndo->ndo_vflag > 1) ND_PRINT((ndo, "\n\t %s Extension TLV #%u, length %u, value ",
.\cloneFuncs\totalClone\Type-1\CVE-2016-7929_before_1mo_1430094282_juniper_parse_header.c
51
52
53
54
55
56
57
58
59
60
* just in case something goes wrong * with TLV parsing */ jnx_header_len += jnx_ext_len; if (ndo->ndo_vflag > 1) ND_PRINT((ndo, ", PCAP Extension(s) total length %u", jnx_ext_len)); ND_TCHECK2(tptr[0], jnx_ext_len); while (jnx_ext_len > JUNIPER_EXT_TLV_OVERHEAD) { tlv_type = *(tptr++);
+ show +
61
62
63
64
65
66
67
68
69
tlv_len = *(tptr++); tlv_value = 0; /* sanity check */ if (tlv_type == 0 || tlv_len == 0) break; if (ndo->ndo_vflag > 1) ND_PRINT((ndo, "\n\t %s Extension TLV #%u, length %u, value ",
+ show +
70
71
72
73
74
75
76
77
78
79
tok2str(jnx_ext_tlv_values,"Unknown",tlv_type), tlv_type, tlv_len)); tlv_value = juniper_read_tlv_value(tptr, tlv_type, tlv_len); switch (tlv_type) { case JUNIPER_EXT_TLV_IFD_NAME: /* FIXME */ break; case JUNIPER_EXT_TLV_IFD_MEDIATYPE:
.\cloneFuncs\totalClone\Type-2\CVE-2016-7929_before_6mo_1412202731_juniper_parse_header.c
51
52
53
54
55
56
57
58
59
60
* just in case something goes wrong * with TLV parsing */ jnx_header_len += jnx_ext_len; if (ndo->ndo_vflag > 1) ND_PRINT((ndo, ", PCAP Extension(s) total length %u", jnx_ext_len)); ND_TCHECK2(tptr[0], jnx_ext_len); while (jnx_ext_len > JUNIPER_EXT_TLV_OVERHEAD) { tlv_type = *(tptr++);
+ show +
61
62
63
64
65
66
67
68
69
tlv_len = *(tptr++); tlv_value = 0; /* sanity check */ if (tlv_type == 0 || tlv_len == 0) break; if (ndo->ndo_vflag > 1) ND_PRINT((ndo, "\n\t %s Extension TLV #%u, length %u, value ",
+ show +
70
71
72
73
74
75
76
77
78
79
tok2str(jnx_ext_tlv_values,"Unknown",tlv_type), tlv_type, tlv_len)); tlv_value = juniper_read_tlv_value(tptr, tlv_type, tlv_len); switch (tlv_type) { case JUNIPER_EXT_TLV_IFD_NAME: /* FIXME */ break; case JUNIPER_EXT_TLV_IFD_MEDIATYPE:

[tcpdump_CVE-2016-7930_1435969539_llc_print.diff] llc_print_OLD.c #1
length + hdrlen)); if ((control & ~LLC_U_POLL) == LLC_XID) { + if (caplen < 2 || length < 2) { + ND_PRINT((ndo, "[|llc]")); + if (caplen > 0) + ND_DEFAULTPRINT((const u_char *)p, caplen); + return (hdrlen); + } if (*p == LLC_XID_FI) { ND_PRINT((ndo, ": %02x %02x", p[1], p[2])); return (hdrlen);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7930_before_imd_1435964054_llc_print.c
200
201
202
203
204
205
206
207
208
209
tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), (dst->addr_string)(ndo, dst->addr), tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); } } if (is_u) { ND_PRINT((ndo, "Unnumbered, %s, Flags [%s], length %u", tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)),
+ show +
210
211
212
213
214
215
length + hdrlen)); if ((control & ~LLC_U_POLL) == LLC_XID) { if (*p == LLC_XID_FI) { ND_PRINT((ndo, ": %02x %02x", p[1], p[2])); return (hdrlen);
+ show +
216
217
218
219
220
221
222
223
224
225
} } } else { if ((control & LLC_S_FMT) == LLC_S_FMT) { ND_PRINT((ndo, "Supervisory, %s, rcv seq %u, Flags [%s], length %u", tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), LLC_IS_NR(control), tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), length + hdrlen)); return (hdrlen); /* no payload to print */
.\cloneFuncs\totalClone\Type-2\CVE-2016-7930_before_1mo_1430094282_llc_print.c
200
201
202
203
204
205
206
207
208
209
tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), etheraddr_string(ndo, edst), tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); } } if (is_u) { ND_PRINT((ndo, "Unnumbered, %s, Flags [%s], length %u", tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)),
+ show +
210
211
212
213
214
215
length + hdrlen)); if ((control & ~LLC_U_POLL) == LLC_XID) { if (*p == LLC_XID_FI) { ND_PRINT((ndo, ": %02x %02x", p[1], p[2])); return (hdrlen);
+ show +
216
217
218
219
220
221
222
223
224
225
} } } else { if ((control & LLC_S_FMT) == LLC_S_FMT) { ND_PRINT((ndo, "Supervisory, %s, rcv seq %u, Flags [%s], length %u", tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), LLC_IS_NR(control), tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), length + hdrlen)); return (hdrlen); /* no payload to print */

[tcpdump_CVE-2016-7931_1435972055_mpls_print.diff] mpls_print_OLD.c #1
ND_PRINT((ndo, "MPLS")); do { ND_TCHECK2(*p, sizeof(label_entry)); + if (length < sizeof(label_entry)) { + ND_PRINT((ndo, "[|MPLS], length %u", length)); + return; + } label_entry = EXTRACT_32BITS(p); ND_PRINT((ndo, "%s(label %u", (label_stack_depth && ndo->ndo_vflag) ? "\n\t" : " ",
.\cloneFuncs\totalClone\Type-1\CVE-2016-7931_before_1mo_1427018775_mpls_print.c
1
2
3
4
5
6
7
8
9
void mpls_print(netdissect_options *ndo, const u_char *bp, u_int length) { const u_char *p; uint32_t label_entry; uint16_t label_stack_depth = 0; enum mpls_packet_type pt = PT_UNKNOWN; p = bp;
+ show +
10
11
12
13
14
15
ND_PRINT((ndo, "MPLS")); do { ND_TCHECK2(*p, sizeof(label_entry)); label_entry = EXTRACT_32BITS(p); ND_PRINT((ndo, "%s(label %u", (label_stack_depth && ndo->ndo_vflag) ? "\n\t" : " ",
+ show +
16
17
18
19
20
21
22
23
24
25
MPLS_LABEL(label_entry))); label_stack_depth++; if (ndo->ndo_vflag && MPLS_LABEL(label_entry) < sizeof(mpls_labelname) / sizeof(mpls_labelname[0])) ND_PRINT((ndo, " (%s)", mpls_labelname[MPLS_LABEL(label_entry)])); ND_PRINT((ndo, ", exp %u", MPLS_EXP(label_entry))); if (MPLS_STACK(label_entry)) ND_PRINT((ndo, ", [S]")); ND_PRINT((ndo, ", ttl %u)", MPLS_TTL(label_entry)));

[tcpdump_CVE-2016-7931_1435972055_mpls_print.diff] mpls_print_OLD.c #2
ND_PRINT((ndo, ", ttl %u)", MPLS_TTL(label_entry))); p += sizeof(label_entry); + length -= sizeof(label_entry); } while (!MPLS_STACK(label_entry)); /*
.\cloneFuncs\totalClone\Type-1\CVE-2016-7931_before_1mo_1427018775_mpls_print.c
14
15
16
17
18
19
20
21
22
23
ND_PRINT((ndo, "%s(label %u", (label_stack_depth && ndo->ndo_vflag) ? "\n\t" : " ", MPLS_LABEL(label_entry))); label_stack_depth++; if (ndo->ndo_vflag && MPLS_LABEL(label_entry) < sizeof(mpls_labelname) / sizeof(mpls_labelname[0])) ND_PRINT((ndo, " (%s)", mpls_labelname[MPLS_LABEL(label_entry)])); ND_PRINT((ndo, ", exp %u", MPLS_EXP(label_entry))); if (MPLS_STACK(label_entry)) ND_PRINT((ndo, ", [S]"));
+ show +
24
25
26
27
28
29
ND_PRINT((ndo, ", ttl %u)", MPLS_TTL(label_entry))); p += sizeof(label_entry); } while (!MPLS_STACK(label_entry)); /*
+ show +
30
31
32
33
34
35
36
37
38
39
* Try to figure out the packet type. */ switch (MPLS_LABEL(label_entry)) { case 0: /* IPv4 explicit NULL label */ case 3: /* IPv4 implicit NULL label */ pt = PT_IPV4; break; case 2: /* IPv6 explicit NULL label */

[tcpdump_CVE-2016-7931_1435972055_mpls_print.diff] mpls_print_OLD.c #3
* Cisco sends control-plane traffic MPLS-encapsulated in * this fashion. */ + ND_TCHECK(*p); + if (length < 1) { + /* nothing to print */ + return; + } switch(*p) { case 0x45:
.\cloneFuncs\totalClone\Type-1\CVE-2016-7931_before_1mo_1427018775_mpls_print.c
56
57
58
59
60
61
62
63
64
65
* * 2) the first byte of an OSI CLNP packet is 0x81, * the first byte of an OSI ES-IS packet is 0x82, * and the first byte of an OSI IS-IS packet is * 0x83; * * so the network layer protocol can be inferred from the * first byte of the packet, if the protocol is one of the * ones listed above. *
+ show +
66
67
68
69
70
71
* Cisco sends control-plane traffic MPLS-encapsulated in * this fashion. */ switch(*p) { case 0x45:
+ show +
72
73
74
75
76
77
78
79
80
81
case 0x46: case 0x47: case 0x48: case 0x49: case 0x4a: case 0x4b: case 0x4c: case 0x4d: case 0x4e: case 0x4f:

[tcpdump_CVE-2016-7933_1435949729_ppp_hdlc_if_print.diff] ppp_hdlc_if_print_OLD.c #1
return (chdlc_if_print(ndo, h, p)); default: + if (caplen < 4) { + ND_PRINT((ndo, "[|ppp]")); + return (caplen); + } + if (ndo->ndo_eflag) ND_PRINT((ndo, "%02x %02x %d ", p[0], p[1], length)); p += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7933_before_1mo_1427018775_ppp_hdlc_if_print.c
30
31
32
33
34
35
36
37
38
39
p += 2; length -= 2; hdrlen += 2; ND_PRINT((ndo, "%s: ", tok2str(ppptype2str, "unknown PPP protocol (0x%04x)", proto))); handle_ppp(ndo, proto, p, length); break; case CHDLC_UNICAST: case CHDLC_BCAST:
+ show +
40
41
42
43
44
45
return (chdlc_if_print(ndo, h, p)); default: if (ndo->ndo_eflag) ND_PRINT((ndo, "%02x %02x %d ", p[0], p[1], length)); p += 2;
+ show +
46
47
48
49
50
51
52
53
54
55
hdrlen += 2; /* * XXX - NetBSD's "ppp_netbsd_serial_if_print()" treats * the next two octets as an Ethernet type; does that * ever happen? */ ND_PRINT((ndo, "unknown addr %02x; ctrl %02x", p[0], p[1])); break; }

[tcpdump_CVE-2016-7936_1435969958_udp_print.diff] udp_print_OLD.c #1
sport = EXTRACT_16BITS(&up->uh_sport); dport = EXTRACT_16BITS(&up->uh_dport); + if (!ND_TTEST(up->uh_ulen)) { + udpipaddr_print(ndo, ip, sport, dport); + ND_PRINT((ndo, "[|udp]")); + return; + } if (length < sizeof(struct udphdr)) { udpipaddr_print(ndo, ip, sport, dport); ND_PRINT((ndo, "truncated-udp %d", length));
.\cloneFuncs\totalClone\Type-1\CVE-2016-7936_before_imd_1484424333_udp_print.c
16
17
18
19
20
21
22
23
24
25
if (IP_V(ip) == 6) ip6 = (const struct ip6_hdr *)bp2; else ip6 = NULL; if (!ND_TTEST(up->uh_dport)) { udpipaddr_print(ndo, ip, -1, -1); ND_PRINT((ndo, "[|udp]")); return; }
+ show +
26
27
28
29
30
31
sport = EXTRACT_16BITS(&up->uh_sport); dport = EXTRACT_16BITS(&up->uh_dport); if (length < sizeof(struct udphdr)) { udpipaddr_print(ndo, ip, sport, dport); ND_PRINT((ndo, "truncated-udp %d", length));
+ show +
32
33
34
35
36
37
38
39
40
41
return; } ulen = EXTRACT_16BITS(&up->uh_ulen); if (ulen < sizeof(struct udphdr)) { udpipaddr_print(ndo, ip, sport, dport); ND_PRINT((ndo, "truncated-udplength %d", ulen)); return; } ulen -= sizeof(struct udphdr); length -= sizeof(struct udphdr);
.\cloneFuncs\totalClone\Type-2\CVE-2016-7936_after_imd_1436063424_udp_print.c
16
17
18
19
20
21
22
23
24
25
if (IP_V(ip) == 6) ip6 = (const struct ip6_hdr *)bp2; else ip6 = NULL; if (!ND_TTEST(up->uh_dport)) { udpipaddr_print(ndo, ip, -1, -1); ND_PRINT((ndo, "[|udp]")); return; }
+ show +
26
27
28
29
30
31
sport = EXTRACT_16BITS(&up->uh_sport); dport = EXTRACT_16BITS(&up->uh_dport); if (length < sizeof(struct udphdr)) { udpipaddr_print(ndo, ip, sport, dport); ND_PRINT((ndo, "truncated-udp %d", length));
+ show +
32
33
34
35
36
37
38
39
40
41
return; } if (!ND_TTEST(up->uh_ulen)) { udpipaddr_print(ndo, ip, sport, dport); ND_PRINT((ndo, "[|udp]")); return; } ulen = EXTRACT_16BITS(&up->uh_ulen); if (ulen < sizeof(struct udphdr)) { udpipaddr_print(ndo, ip, sport, dport);
.\cloneFuncs\totalClone\Type-3\CVE-2016-7936_after_1mo_1447776742_udp_print.c
15
16
17
18
19
20
21
22
23
24
ip = (const struct ip *)bp2; if (IP_V(ip) == 6) ip6 = (const struct ip6_hdr *)bp2; else ip6 = NULL; if (!ND_TTEST(up->uh_dport)) { udpipaddr_print(ndo, ip, -1, -1); goto trunc; }
+ show +
25
26
27
28
29
30
sport = EXTRACT_16BITS(&up->uh_sport); dport = EXTRACT_16BITS(&up->uh_dport); if (length < sizeof(struct udphdr)) { udpipaddr_print(ndo, ip, sport, dport); ND_PRINT((ndo, "truncated-udp %d", length));
+ show +
31
32
33
34
35
36
37
38
39
40
return; } if (!ND_TTEST(up->uh_ulen)) { udpipaddr_print(ndo, ip, sport, dport); goto trunc; } ulen = EXTRACT_16BITS(&up->uh_ulen); if (ulen < sizeof(struct udphdr)) { udpipaddr_print(ndo, ip, sport, dport); ND_PRINT((ndo, "truncated-udplength %d", ulen));

[tcpdump_CVE-2017-13030_1490216968_pim_print.diff] pim_print_OLD.c #2
break; } return; + +trunc: + ND_PRINT((ndo, "[|pim]")); + return; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-7936_before_imd_1484424333_udp_print.c
119
120
121
122
123
124
125
126
127
128
break; case PT_PGM: case PT_PGM_ZMTP1: udpipaddr_print(ndo, ip, sport, dport); pgm_print(ndo, cp, length, bp2); break; case PT_LMP: udpipaddr_print(ndo, ip, sport, dport); lmp_print(ndo, cp, length);
+ show +
129
130
131
132
break; } return; }
+ show +
133
134
135
136
137
138
139
140
141
142
udpipaddr_print(ndo, ip, sport, dport); if (!ndo->ndo_qflag) { register const struct sunrpc_msg *rp; enum sunrpc_msg_type direction; rp = (const struct sunrpc_msg *)(up + 1); if (ND_TTEST(rp->rm_direction)) { direction = (enum sunrpc_msg_type)EXTRACT_32BITS(&rp->rm_direction); if (dport == NFS_PORT && direction == SUNRPC_CALL) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-7975_before_imd_1435966105_tcp_print.c
492
493
494
495
496
497
498
499
500
501
return; } if (ndo->ndo_packettype) { switch (ndo->ndo_packettype) { case PT_ZMTP1: zmtp1_print(ndo, bp, length); break; case PT_RESP: resp_print(ndo, bp, length);
+ show +
502
503
504
505
break; } return; }
+ show +
506
507
508
509
510
511
512
513
514
515
if (IS_SRC_OR_DST_PORT(TELNET_PORT)) { telnet_print(ndo, bp, length); } else if (IS_SRC_OR_DST_PORT(SMTP_PORT)) { ND_PRINT((ndo, ": ")); smtp_print(ndo, bp, length); } else if (IS_SRC_OR_DST_PORT(BGP_PORT)) bgp_print(ndo, bp, length); else if (IS_SRC_OR_DST_PORT(PPTP_PORT)) pptp_print(ndo, bp);
.\cloneFuncs\totalClone\Type-2\CVE-2016-7936_after_imd_1436063424_udp_print.c
124
125
126
127
128
129
130
131
132
133
break; case PT_PGM: case PT_PGM_ZMTP1: udpipaddr_print(ndo, ip, sport, dport); pgm_print(ndo, cp, length, bp2); break; case PT_LMP: udpipaddr_print(ndo, ip, sport, dport); lmp_print(ndo, cp, length);
+ show +
134
135
136
137
break; } return; }
+ show +
138
139
140
141
142
143
144
145
146
147
udpipaddr_print(ndo, ip, sport, dport); if (!ndo->ndo_qflag) { register const struct sunrpc_msg *rp; enum sunrpc_msg_type direction; rp = (const struct sunrpc_msg *)(up + 1); if (ND_TTEST(rp->rm_direction)) { direction = (enum sunrpc_msg_type)EXTRACT_32BITS(&rp->rm_direction); if (dport == NFS_PORT && direction == SUNRPC_CALL) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-7936_after_1mo_1447776742_udp_print.c
121
122
123
124
125
126
127
128
129
130
break; case PT_PGM: case PT_PGM_ZMTP1: udpipaddr_print(ndo, ip, sport, dport); pgm_print(ndo, cp, length, bp2); break; case PT_LMP: udpipaddr_print(ndo, ip, sport, dport); lmp_print(ndo, cp, length);
+ show +
131
132
133
134
break; } return; }
+ show +
135
136
137
138
139
140
141
142
143
144
udpipaddr_print(ndo, ip, sport, dport); if (!ndo->ndo_qflag) { register const struct sunrpc_msg *rp; enum sunrpc_msg_type direction; rp = (const struct sunrpc_msg *)(up + 1); if (ND_TTEST(rp->rm_direction)) { direction = (enum sunrpc_msg_type)EXTRACT_32BITS(&rp->rm_direction); if (dport == NFS_PORT && direction == SUNRPC_CALL) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-7975_after_1mo_1462476661_tcp_print.c
499
500
501
502
503
504
505
506
507
508
return; } if (ndo->ndo_packettype) { switch (ndo->ndo_packettype) { case PT_ZMTP1: zmtp1_print(ndo, bp, length); break; case PT_RESP: resp_print(ndo, bp, length);
+ show +
509
510
511
512
break; } return; }
+ show +
513
514
515
516
517
518
519
520
521
522
if (IS_SRC_OR_DST_PORT(TELNET_PORT)) { telnet_print(ndo, bp, length); } else if (IS_SRC_OR_DST_PORT(SMTP_PORT)) { ND_PRINT((ndo, ": ")); smtp_print(ndo, bp, length); } else if (IS_SRC_OR_DST_PORT(BGP_PORT)) bgp_print(ndo, bp, length); else if (IS_SRC_OR_DST_PORT(PPTP_PORT)) pptp_print(ndo, bp);
.\cloneFuncs\totalClone\Type-3\CVE-2016-7975_after_6mo_1478019901_tcp_print.c
512
513
514
515
516
517
518
519
520
521
return; } if (ndo->ndo_packettype) { switch (ndo->ndo_packettype) { case PT_ZMTP1: zmtp1_print(ndo, bp, length); break; case PT_RESP: resp_print(ndo, bp, length);
+ show +
522
523
524
525
break; } return; }
+ show +
526
527
528
529
530
531
532
533
534
535
if (IS_SRC_OR_DST_PORT(TELNET_PORT)) { telnet_print(ndo, bp, length); } else if (IS_SRC_OR_DST_PORT(SMTP_PORT)) { ND_PRINT((ndo, ": ")); smtp_print(ndo, bp, length); } else if (IS_SRC_OR_DST_PORT(BGP_PORT)) bgp_print(ndo, bp, length); else if (IS_SRC_OR_DST_PORT(PPTP_PORT)) pptp_print(ndo, bp);
.\cloneFuncs\totalClone\Type-3\CVE-2016-7975_after_imd_1474850901_tcp_print.c
493
494
495
496
497
498
499
500
501
502
return; } if (ndo->ndo_packettype) { switch (ndo->ndo_packettype) { case PT_ZMTP1: zmtp1_print(ndo, bp, length); break; case PT_RESP: resp_print(ndo, bp, length);
+ show +
503
504
505
506
break; } return; }
+ show +
507
508
509
510
511
512
513
514
515
516
if (IS_SRC_OR_DST_PORT(TELNET_PORT)) { telnet_print(ndo, bp, length); } else if (IS_SRC_OR_DST_PORT(SMTP_PORT)) { ND_PRINT((ndo, ": ")); smtp_print(ndo, bp, length); } else if (IS_SRC_OR_DST_PORT(BGP_PORT)) bgp_print(ndo, bp, length); else if (IS_SRC_OR_DST_PORT(PPTP_PORT)) pptp_print(ndo, bp);
.\cloneFuncs\totalClone\Type-3\CVE-2016-7975_before_1mo_1430094282_tcp_print.c
503
504
505
506
507
508
509
510
511
512
bp += TH_OFF(tp) * 4; if ((flags & TH_RST) && ndo->ndo_vflag) { print_tcp_rst_data(ndo, bp, length); return; } if (ndo->ndo_packettype) { switch (ndo->ndo_packettype) { case PT_ZMTP1: zmtp1_print(ndo, bp, length);
+ show +
513
514
515
516
break; } return; }
+ show +
517
518
519
520
521
522
523
524
525
526
if (sport == TELNET_PORT || dport == TELNET_PORT) { telnet_print(ndo, bp, length); } else if (sport == SMTP_PORT || dport == SMTP_PORT) { ND_PRINT((ndo, ": ")); smtp_print(ndo, bp, length); } else if (sport == BGP_PORT || dport == BGP_PORT) bgp_print(ndo, bp, length); else if (sport == PPTP_PORT || dport == PPTP_PORT) pptp_print(ndo, bp);
.\cloneFuncs\totalClone\Type-3\CVE-2016-7975_before_6mo_1419012395_tcp_print.c
510
511
512
513
514
515
516
517
518
519
bp += TH_OFF(tp) * 4; if ((flags & TH_RST) && ndo->ndo_vflag) { print_tcp_rst_data(ndo, bp, length); return; } if (ndo->ndo_packettype) { switch (ndo->ndo_packettype) { case PT_ZMTP1: zmtp1_print(ndo, bp, length);
+ show +
520
521
522
523
break; } return; }
+ show +
524
525
526
527
528
529
530
531
532
533
if (sport == TELNET_PORT || dport == TELNET_PORT) { telnet_print(ndo, bp, length); } else if (sport == SMTP_PORT || dport == SMTP_PORT) { ND_PRINT((ndo, ": ")); smtp_print(ndo, bp, length); } else if (sport == BGP_PORT || dport == BGP_PORT) bgp_print(ndo, bp, length); else if (sport == PPTP_PORT || dport == PPTP_PORT) pptp_print(ndo, bp);

[tcpdump_CVE-2016-7973_1435949010_atalk_print.diff] atalk_print_OLD.c #1
if(!ndo->ndo_eflag) ND_PRINT((ndo, "AT ")); + if (!ND_TTEST2(*bp, ddpSize)) { + ND_PRINT((ndo, " [|ddp]")); + return; + } if (length < ddpSize) { ND_PRINT((ndo, " [|ddp %u]", length)); return;
.\cloneFuncs\totalClone\Type-1\CVE-2016-7973_before_1mo_1430094282_atalk_print.c
1
2
3
4
5
6
7
void atalk_print(netdissect_options *ndo, register const u_char *bp, u_int length) { register const struct atDDP *dp; u_short snet;
+ show +
8
9
10
11
12
13
if(!ndo->ndo_eflag) ND_PRINT((ndo, "AT ")); if (length < ddpSize) { ND_PRINT((ndo, " [|ddp %u]", length)); return;
+ show +
14
15
16
17
18
19
20
21
22
23
} dp = (const struct atDDP *)bp; snet = EXTRACT_16BITS(&dp->srcNet); ND_PRINT((ndo, "%s.%s", ataddr_string(ndo, snet, dp->srcNode), ddpskt_string(ndo, dp->srcSkt))); ND_PRINT((ndo, " > %s.%s: ", ataddr_string(ndo, EXTRACT_16BITS(&dp->dstNet), dp->dstNode), ddpskt_string(ndo, dp->dstSkt))); bp += ddpSize; length -= ddpSize;
.\cloneFuncs\totalClone\Type-2\CVE-2016-7973_after_1mo_1435953491_atalk_print.c
1
2
3
4
5
6
7
void atalk_print(netdissect_options *ndo, register const u_char *bp, u_int length) { register const struct atDDP *dp; u_short snet;
+ show +
8
9
10
11
12
13
if(!ndo->ndo_eflag) ND_PRINT((ndo, "AT ")); if (length < ddpSize) { ND_PRINT((ndo, " [|ddp %u]", length)); return;
+ show +
14
15
16
17
18
19
20
21
22
23
} if (!ND_TTEST2(*bp, ddpSize)) { ND_PRINT((ndo, " [|ddp]")); return; } dp = (const struct atDDP *)bp; snet = EXTRACT_16BITS(&dp->srcNet); ND_PRINT((ndo, "%s.%s", ataddr_string(ndo, snet, dp->srcNode), ddpskt_string(ndo, dp->srcSkt))); ND_PRINT((ndo, " > %s.%s: ",

[tcpdump_CVE-2016-7973_1435949010_llap_print.diff] llap_print_OLD.c #1
u_short snet; u_int hdrlen; + if (!ND_TTEST2(*bp, sizeof(*lp))) { + ND_PRINT((ndo, " [|llap]")); + return (0); /* cut short by the snapshot length */ + } if (length < sizeof(*lp)) { ND_PRINT((ndo, " [|llap %u]", length)); return (length);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7973_before_1mo_1430094282_llap_print.c
1
2
3
4
5
6
7
u_int llap_print(netdissect_options *ndo, register const u_char *bp, u_int length) { register const struct LAP *lp; register const struct atDDP *dp; register const struct atShortDDP *sdp;
+ show +
8
9
10
11
12
13
u_short snet; u_int hdrlen; if (length < sizeof(*lp)) { ND_PRINT((ndo, " [|llap %u]", length)); return (length);
+ show +
14
15
16
17
18
19
20
21
22
23
} lp = (const struct LAP *)bp; bp += sizeof(*lp); length -= sizeof(*lp); hdrlen = sizeof(*lp); switch (lp->type) { case lapShortDDP: if (length < ddpSSize) { ND_PRINT((ndo, " [|sddp %u]", length));
.\cloneFuncs\totalClone\Type-2\CVE-2016-7973_after_1mo_1435953491_llap_print.c
1
2
3
4
5
6
7
u_int llap_print(netdissect_options *ndo, register const u_char *bp, u_int length) { register const struct LAP *lp; register const struct atDDP *dp; register const struct atShortDDP *sdp;
+ show +
8
9
10
11
12
13
u_short snet; u_int hdrlen; if (length < sizeof(*lp)) { ND_PRINT((ndo, " [|llap %u]", length)); return (length);
+ show +
14
15
16
17
18
19
20
21
22
23
} if (!ND_TTEST2(*bp, sizeof(*lp))) { ND_PRINT((ndo, " [|llap]")); return (0); /* cut short by the snapshot length */ } lp = (const struct LAP *)bp; bp += sizeof(*lp); length -= sizeof(*lp); hdrlen = sizeof(*lp); switch (lp->type) {

[tcpdump_CVE-2016-7973_1435949010_llap_print.diff] llap_print_OLD.c #2
switch (lp->type) { case lapShortDDP: + if (!ND_TTEST2(*bp, ddpSSize)) { + ND_PRINT((ndo, " [|sddp]")); + return (0); /* cut short by the snapshot length */ + } if (length < ddpSSize) { ND_PRINT((ndo, " [|sddp %u]", length)); return (length);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7973_before_1mo_1430094282_llap_print.c
9
10
11
12
13
14
15
16
17
18
u_int hdrlen; if (length < sizeof(*lp)) { ND_PRINT((ndo, " [|llap %u]", length)); return (length); } lp = (const struct LAP *)bp; bp += sizeof(*lp); length -= sizeof(*lp); hdrlen = sizeof(*lp);
+ show +
19
20
21
22
23
24
switch (lp->type) { case lapShortDDP: if (length < ddpSSize) { ND_PRINT((ndo, " [|sddp %u]", length)); return (length);
+ show +
25
26
27
28
29
30
31
32
33
34
} sdp = (const struct atShortDDP *)bp; ND_PRINT((ndo, "%s.%s", ataddr_string(ndo, 0, lp->src), ddpskt_string(ndo, sdp->srcSkt))); ND_PRINT((ndo, " > %s.%s:", ataddr_string(ndo, 0, lp->dst), ddpskt_string(ndo, sdp->dstSkt))); bp += ddpSSize; length -= ddpSSize; hdrlen += ddpSSize; ddp_print(ndo, bp, length, sdp->type, 0, lp->src, sdp->srcSkt);
.\cloneFuncs\totalClone\Type-2\CVE-2016-7973_after_1mo_1435953491_llap_print.c
13
14
15
16
17
18
19
20
21
22
return (length); } if (!ND_TTEST2(*bp, sizeof(*lp))) { ND_PRINT((ndo, " [|llap]")); return (0); /* cut short by the snapshot length */ } lp = (const struct LAP *)bp; bp += sizeof(*lp); length -= sizeof(*lp); hdrlen = sizeof(*lp);
+ show +
23
24
25
26
27
28
switch (lp->type) { case lapShortDDP: if (length < ddpSSize) { ND_PRINT((ndo, " [|sddp %u]", length)); return (length);
+ show +
29
30
31
32
33
34
35
36
37
38
} if (!ND_TTEST2(*bp, ddpSSize)) { ND_PRINT((ndo, " [|sddp]")); return (0); /* cut short by the snapshot length */ } sdp = (const struct atShortDDP *)bp; ND_PRINT((ndo, "%s.%s", ataddr_string(ndo, 0, lp->src), ddpskt_string(ndo, sdp->srcSkt))); ND_PRINT((ndo, " > %s.%s:", ataddr_string(ndo, 0, lp->dst), ddpskt_string(ndo, sdp->dstSkt)));

[tcpdump_CVE-2016-7973_1435949010_llap_print.diff] llap_print_OLD.c #3
break; case lapDDP: + if (!ND_TTEST2(*bp, ddpSize)) { + ND_PRINT((ndo, " [|ddp]")); + return (0); /* cut short by the snapshot length */ + } if (length < ddpSize) { ND_PRINT((ndo, " [|ddp %u]", length)); return (length);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7973_before_1mo_1430094282_llap_print.c
25
26
27
28
29
30
31
32
33
34
} sdp = (const struct atShortDDP *)bp; ND_PRINT((ndo, "%s.%s", ataddr_string(ndo, 0, lp->src), ddpskt_string(ndo, sdp->srcSkt))); ND_PRINT((ndo, " > %s.%s:", ataddr_string(ndo, 0, lp->dst), ddpskt_string(ndo, sdp->dstSkt))); bp += ddpSSize; length -= ddpSSize; hdrlen += ddpSSize; ddp_print(ndo, bp, length, sdp->type, 0, lp->src, sdp->srcSkt);
+ show +
35
36
37
38
39
40
break; case lapDDP: if (length < ddpSize) { ND_PRINT((ndo, " [|ddp %u]", length)); return (length);
+ show +
41
42
43
44
45
46
47
48
49
50
} dp = (const struct atDDP *)bp; snet = EXTRACT_16BITS(&dp->srcNet); ND_PRINT((ndo, "%s.%s", ataddr_string(ndo, snet, dp->srcNode), ddpskt_string(ndo, dp->srcSkt))); ND_PRINT((ndo, " > %s.%s:", ataddr_string(ndo, EXTRACT_16BITS(&dp->dstNet), dp->dstNode), ddpskt_string(ndo, dp->dstSkt))); bp += ddpSize; length -= ddpSize;
.\cloneFuncs\totalClone\Type-2\CVE-2016-7973_after_1mo_1435953491_llap_print.c
33
34
35
36
37
38
39
40
41
42
} sdp = (const struct atShortDDP *)bp; ND_PRINT((ndo, "%s.%s", ataddr_string(ndo, 0, lp->src), ddpskt_string(ndo, sdp->srcSkt))); ND_PRINT((ndo, " > %s.%s:", ataddr_string(ndo, 0, lp->dst), ddpskt_string(ndo, sdp->dstSkt))); bp += ddpSSize; length -= ddpSSize; hdrlen += ddpSSize; ddp_print(ndo, bp, length, sdp->type, 0, lp->src, sdp->srcSkt);
+ show +
43
44
45
46
47
48
break; case lapDDP: if (length < ddpSize) { ND_PRINT((ndo, " [|ddp %u]", length)); return (length);
+ show +
49
50
51
52
53
54
55
56
57
58
} if (!ND_TTEST2(*bp, ddpSize)) { ND_PRINT((ndo, " [|ddp]")); return (0); /* cut short by the snapshot length */ } dp = (const struct atDDP *)bp; snet = EXTRACT_16BITS(&dp->srcNet); ND_PRINT((ndo, "%s.%s", ataddr_string(ndo, snet, dp->srcNode), ddpskt_string(ndo, dp->srcSkt))); ND_PRINT((ndo, " > %s.%s:",

[tcpdump_CVE-2016-7975_1435967232_tcp_print.diff] tcp_print_OLD.c #1
sport = EXTRACT_16BITS(&tp->th_sport); dport = EXTRACT_16BITS(&tp->th_dport); - hlen = TH_OFF(tp) * 4; - if (ip6) { if (ip6->ip6_nxt == IPPROTO_TCP) { ND_PRINT((ndo, "%s.%s > %s.%s: ",
.\cloneFuncs\totalClone\Type-1\CVE-2016-7975_before_imd_1435966105_tcp_print.c
22
23
24
25
26
27
28
29
30
31
else ip6 = NULL; ch = '\0'; if (!ND_TTEST(tp->th_dport)) { ND_PRINT((ndo, "%s > %s: [|tcp]", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst))); return; }
+ show +
32
33
34
35
36
37
38
39
sport = EXTRACT_16BITS(&tp->th_sport); dport = EXTRACT_16BITS(&tp->th_dport); hlen = TH_OFF(tp) * 4; if (ip6) { if (ip6->ip6_nxt == IPPROTO_TCP) { ND_PRINT((ndo, "%s.%s > %s.%s: ",
+ show +
40
41
42
43
44
45
46
47
48
49
ip6addr_string(ndo, &ip6->ip6_src), tcpport_string(ndo, sport), ip6addr_string(ndo, &ip6->ip6_dst), tcpport_string(ndo, dport))); } else { ND_PRINT((ndo, "%s > %s: ", tcpport_string(ndo, sport), tcpport_string(ndo, dport))); } } else { if (ip->ip_p == IPPROTO_TCP) {

[tcpdump_CVE-2016-7975_1435967232_tcp_print.diff] tcp_print_OLD.c #2
} } + ND_TCHECK(*tp); + + hlen = TH_OFF(tp) * 4; + if (hlen < sizeof(*tp)) { ND_PRINT((ndo, " tcp %d [bad hdr length %u - too short, < %lu]", length - hlen, hlen, (unsigned long)sizeof(*tp))); return; } - ND_TCHECK(*tp); - seq = EXTRACT_32BITS(&tp->th_seq); ack = EXTRACT_32BITS(&tp->th_ack); win = EXTRACT_16BITS(&tp->th_win);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7975_before_imd_1435966105_tcp_print.c
48
49
50
51
52
53
54
55
56
57
} else { if (ip->ip_p == IPPROTO_TCP) { ND_PRINT((ndo, "%s.%s > %s.%s: ", ipaddr_string(ndo, &ip->ip_src), tcpport_string(ndo, sport), ipaddr_string(ndo, &ip->ip_dst), tcpport_string(ndo, dport))); } else { ND_PRINT((ndo, "%s > %s: ", tcpport_string(ndo, sport), tcpport_string(ndo, dport)));
+ show +
58
59
60
61
62
63
64
65
66
67
68
69
70
71
} } if (hlen < sizeof(*tp)) { ND_PRINT((ndo, " tcp %d [bad hdr length %u - too short, < %lu]", length - hlen, hlen, (unsigned long)sizeof(*tp))); return; } ND_TCHECK(*tp); seq = EXTRACT_32BITS(&tp->th_seq); ack = EXTRACT_32BITS(&tp->th_ack); win = EXTRACT_16BITS(&tp->th_win);
+ show +
72
73
74
75
76
77
78
79
80
81
urp = EXTRACT_16BITS(&tp->th_urp); if (ndo->ndo_qflag) { ND_PRINT((ndo, "tcp %d", length - hlen)); if (hlen > length) { ND_PRINT((ndo, " [bad hdr length %u - too long, > %u]", hlen, length)); } return; }
.\cloneFuncs\totalClone\Type-3\CVE-2016-7975_before_1mo_1430094282_tcp_print.c
55
56
57
58
59
60
61
62
63
64
{ if (ip->ip_p == IPPROTO_TCP) { ND_PRINT((ndo, "%s.%s > %s.%s: ", ipaddr_string(ndo, &ip->ip_src), tcpport_string(sport), ipaddr_string(ndo, &ip->ip_dst), tcpport_string(dport))); } else { ND_PRINT((ndo, "%s > %s: ", tcpport_string(sport), tcpport_string(dport)));
+ show +
65
66
67
68
69
70
71
72
73
74
75
76
77
78
} } if (hlen < sizeof(*tp)) { ND_PRINT((ndo, " tcp %d [bad hdr length %u - too short, < %lu]", length - hlen, hlen, (unsigned long)sizeof(*tp))); return; } ND_TCHECK(*tp); seq = EXTRACT_32BITS(&tp->th_seq); ack = EXTRACT_32BITS(&tp->th_ack); win = EXTRACT_16BITS(&tp->th_win);
+ show +
79
80
81
82
83
84
85
86
87
88
urp = EXTRACT_16BITS(&tp->th_urp); if (ndo->ndo_qflag) { ND_PRINT((ndo, "tcp %d", length - hlen)); if (hlen > length) { ND_PRINT((ndo, " [bad hdr length %u - too long, > %u]", hlen, length)); } return; }
.\cloneFuncs\totalClone\Type-3\CVE-2016-7975_before_6mo_1419012395_tcp_print.c
55
56
57
58
59
60
61
62
63
64
{ if (ip->ip_p == IPPROTO_TCP) { ND_PRINT((ndo, "%s.%s > %s.%s: ", ipaddr_string(ndo, &ip->ip_src), tcpport_string(sport), ipaddr_string(ndo, &ip->ip_dst), tcpport_string(dport))); } else { ND_PRINT((ndo, "%s > %s: ", tcpport_string(sport), tcpport_string(dport)));
+ show +
65
66
67
68
69
70
71
72
73
74
75
76
77
78
} } if (hlen < sizeof(*tp)) { ND_PRINT((ndo, " tcp %d [bad hdr length %u - too short, < %lu]", length - hlen, hlen, (unsigned long)sizeof(*tp))); return; } ND_TCHECK(*tp); seq = EXTRACT_32BITS(&tp->th_seq); ack = EXTRACT_32BITS(&tp->th_ack); win = EXTRACT_16BITS(&tp->th_win);
+ show +
79
80
81
82
83
84
85
86
87
88
urp = EXTRACT_16BITS(&tp->th_urp); if (ndo->ndo_qflag) { ND_PRINT((ndo, "tcp %d", length - hlen)); if (hlen > length) { ND_PRINT((ndo, " [bad hdr length %u - too long, > %u]", hlen, length)); } return; }

[tcpdump_CVE-2016-7985_1484762512_medsa_print.diff] medsa_print_OLD.c #1
void medsa_print(netdissect_options *ndo, - const u_char *bp, u_int length, u_int caplen) + const u_char *bp, u_int length, u_int caplen, + const struct lladdr_info *src, const struct lladdr_info *dst) { - register const struct ether_header *ep; const struct medsa_pkthdr *medsa; - struct lladdr_info src, dst; u_short ether_type; medsa = (const struct medsa_pkthdr *)bp; - ep = (const struct ether_header *)(bp - sizeof(*ep)); ND_TCHECK(*medsa); if (!ndo->ndo_eflag)
.\cloneFuncs\totalClone\Type-1\CVE-2016-7985_before_imd_1435964054_medsa_print.c
+ show +
1
2
3
4
5
6
7
8
9
10
11
12
13
14
void medsa_print(netdissect_options *ndo, const u_char *bp, u_int length, u_int caplen) { register const struct ether_header *ep; const struct medsa_pkthdr *medsa; struct lladdr_info src, dst; u_short ether_type; medsa = (const struct medsa_pkthdr *)bp; ep = (const struct ether_header *)(bp - sizeof(*ep)); ND_TCHECK(*medsa); if (!ndo->ndo_eflag)
+ show +
15
16
17
18
19
20
21
22
23
24
ND_PRINT((ndo, "MEDSA %d.%d:%d: ", SRC_DEV(medsa), SRC_PORT(medsa), VID(medsa))); else medsa_print_full(ndo, medsa, caplen); bp += 8; length -= 8; caplen -= 8; src.addr = ESRC(ep);

[tcpdump_CVE-2016-7985_1484762512_medsa_print.diff] medsa_print_OLD.c #2
length -= 8; caplen -= 8; - src.addr = ESRC(ep); - src.addr_string = etheraddr_string; - dst.addr = EDST(ep); - dst.addr_string = etheraddr_string; ether_type = EXTRACT_16BITS(&medsa->ether_type); if (ether_type <= ETHERMTU) { /* Try to print the LLC-layer header & higher layers */ - if (llc_print(ndo, bp, length, caplen, &src, &dst) < 0) { + if (llc_print(ndo, bp, length, caplen, src, dst) < 0) { /* packet type not known, print raw packet */ if (!ndo->ndo_suppress_default_print) ND_DEFAULTPRINT(bp, caplen);
.\cloneFuncs\totalClone\Type-1\CVE-2016-7985_before_imd_1435964054_medsa_print.c
11
12
13
14
15
16
17
18
19
20
ep = (const struct ether_header *)(bp - sizeof(*ep)); ND_TCHECK(*medsa); if (!ndo->ndo_eflag) ND_PRINT((ndo, "MEDSA %d.%d:%d: ", SRC_DEV(medsa), SRC_PORT(medsa), VID(medsa))); else medsa_print_full(ndo, medsa, caplen); bp += 8;
+ show +
21
22
23
24
25
26
27
28
29
30
31
32
33
34
length -= 8; caplen -= 8; src.addr = ESRC(ep); src.addr_string = etheraddr_string; dst.addr = EDST(ep); dst.addr_string = etheraddr_string; ether_type = EXTRACT_16BITS(&medsa->ether_type); if (ether_type <= ETHERMTU) { /* Try to print the LLC-layer header & higher layers */ if (llc_print(ndo, bp, length, caplen, &src, &dst) < 0) { /* packet type not known, print raw packet */ if (!ndo->ndo_suppress_default_print) ND_DEFAULTPRINT(bp, caplen);
+ show +
35
36
37
38
39
40
41
42
43
44
} } else { if (ndo->ndo_eflag) ND_PRINT((ndo, "ethertype %s (0x%04x) ", tok2str(ethertype_values, "Unknown", ether_type), ether_type)); if (ethertype_print(ndo, ether_type, bp, length, caplen, &src, &dst) == 0) { /* ether_type not known, print raw packet */

[tcpdump_CVE-2016-7985_1484762512_medsa_print.diff] medsa_print_OLD.c #3
tok2str(ethertype_values, "Unknown", ether_type), ether_type)); - - if (ethertype_print(ndo, ether_type, bp, length, caplen, &src, &dst) == 0) { + if (ethertype_print(ndo, ether_type, bp, length, caplen, src, dst) == 0) { /* ether_type not known, print raw packet */ if (!ndo->ndo_eflag) ND_PRINT((ndo, "ethertype %s (0x%04x) ",
.\cloneFuncs\totalClone\Type-1\CVE-2016-7985_before_imd_1435964054_medsa_print.c
29
30
31
32
33
34
35
36
37
38
if (ether_type <= ETHERMTU) { /* Try to print the LLC-layer header & higher layers */ if (llc_print(ndo, bp, length, caplen, &src, &dst) < 0) { /* packet type not known, print raw packet */ if (!ndo->ndo_suppress_default_print) ND_DEFAULTPRINT(bp, caplen); } } else { if (ndo->ndo_eflag) ND_PRINT((ndo, "ethertype %s (0x%04x) ",
+ show +
39
40
41
42
43
44
45
46
tok2str(ethertype_values, "Unknown", ether_type), ether_type)); if (ethertype_print(ndo, ether_type, bp, length, caplen, &src, &dst) == 0) { /* ether_type not known, print raw packet */ if (!ndo->ndo_eflag) ND_PRINT((ndo, "ethertype %s (0x%04x) ",
+ show +
47
48
49
50
51
52
53
54
55
56
tok2str(ethertype_values, "Unknown", ether_type), ether_type)); if (!ndo->ndo_suppress_default_print) ND_DEFAULTPRINT(bp, caplen); } } return; trunc:

[tcpdump_CVE-2016-7992_1435947877_cip_if_print.diff] cip_if_print_OLD.c #1
{ u_int caplen = h->caplen; u_int length = h->len; + size_t cmplen; int llc_hdrlen; - if (memcmp(rfcllc, p, sizeof(rfcllc))==0 && caplen < RFC1483LLC_LEN) { - ND_PRINT((ndo, "[|cip]")); - return (0); - } + cmplen = sizeof(rfcllc); + if (cmplen > caplen) + cmplen = caplen; + if (cmplen > length) + cmplen = length; if (ndo->ndo_eflag) cip_print(ndo, length); - if (memcmp(rfcllc, p, sizeof(rfcllc)) == 0) { + if (cmplen == 0) { + ND_PRINT((ndo, "[|cip]")); + return 0; + } + if (memcmp(rfcllc, p, cmplen) == 0) { /* * LLC header is present. Try to print it & higher layers. */
.\cloneFuncs\totalClone\Type-1\CVE-2016-7992_before_1mo_1429339342_cip_if_print.c
1
2
u_int cip_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p)
+ show +
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
{ u_int caplen = h->caplen; u_int length = h->len; int llc_hdrlen; if (memcmp(rfcllc, p, sizeof(rfcllc))==0 && caplen < RFC1483LLC_LEN) { ND_PRINT((ndo, "[|cip]")); return (0); } if (ndo->ndo_eflag) cip_print(ndo, length); if (memcmp(rfcllc, p, sizeof(rfcllc)) == 0) { /* * LLC header is present. Try to print it & higher layers. */
+ show +
20
21
22
23
24
25
26
27
28
29
llc_hdrlen = llc_print(ndo, p, length, caplen, NULL, NULL); if (llc_hdrlen < 0) { /* packet type not known, print raw packet */ if (!ndo->ndo_suppress_default_print) ND_DEFAULTPRINT(p, caplen); llc_hdrlen = -llc_hdrlen; } } else { /* * LLC header is absent; treat it as just IP.

[linux_CVE-2016-8399_1480962878_ping_common_sendmsg.diff] ping_common_sendmsg_OLD.c #1
if (len > 0xFFFF) return -EMSGSIZE; + /* Must have at least a full ICMP header. */ + if (len < icmph_len) + return -EINVAL; + /* * Check the flags. */
.\cloneFuncs\totalClone\Type-1\CVE-2016-8399_before_1mo_1475884992_ping_common_sendmsg.c
1
2
3
4
int ping_common_sendmsg(int family, struct msghdr *msg, size_t len, void *user_icmph, size_t icmph_len) { u8 type, code;
+ show +
5
6
7
8
9
10
if (len > 0xFFFF) return -EMSGSIZE; /* * Check the flags. */
+ show +
11
12
13
14
15
16
17
18
19
20
/* Mirror BSD error message compatibility */ if (msg->msg_flags & MSG_OOB) return -EOPNOTSUPP; /* * Fetch the ICMP header provided by the userland. * iovec is modified! The ICMP header is consumed. */ if (memcpy_from_msg(user_icmph, msg, icmph_len))

[linux_CVE-2016-8632_1480667621_tipc_udp_enable.diff] tipc_udp_enable_OLD.c #1
udp_conf.local_ip.s_addr = htonl(INADDR_ANY); udp_conf.use_udp_checksums = false; ub->ifindex = dev->ifindex; + if (tipc_mtu_bad(dev, sizeof(struct iphdr) + + sizeof(struct udphdr))) { + err = -EINVAL; + goto err; + } b->mtu = dev->mtu - sizeof(struct iphdr) - sizeof(struct udphdr); #if IS_ENABLED(CONFIG_IPV6)
.\cloneFuncs\totalClone\Type-1\CVE-2016-8632_before_1mo_1473469015_tipc_udp_enable.c
45
46
47
48
49
50
51
52
53
54
tipc_udp_media_addr_set(&b->addr, &local); if (local.proto == htons(ETH_P_IP)) { struct net_device *dev; dev = __ip_dev_find(net, local.ipv4.s_addr, false); if (!dev) { err = -ENODEV; goto err; } udp_conf.family = AF_INET;
+ show +
55
56
57
58
59
60
udp_conf.local_ip.s_addr = htonl(INADDR_ANY); udp_conf.use_udp_checksums = false; ub->ifindex = dev->ifindex; b->mtu = dev->mtu - sizeof(struct iphdr) - sizeof(struct udphdr); #if IS_ENABLED(CONFIG_IPV6)
+ show +
61
62
63
64
65
66
67
68
69
70
} else if (local.proto == htons(ETH_P_IPV6)) { udp_conf.family = AF_INET6; udp_conf.use_udp6_tx_checksums = true; udp_conf.use_udp6_rx_checksums = true; udp_conf.local_ip6 = in6addr_any; b->mtu = 1280; #endif } else { err = -EAFNOSUPPORT; goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2016-8632_before_6mo_1457945032_tipc_udp_enable.c
25
26
27
28
29
30
31
32
33
34
tipc_udp_media_addr_set(&b->addr, &local); if (local.proto == htons(ETH_P_IP)) { struct net_device *dev; dev = __ip_dev_find(net, local.ipv4.s_addr, false); if (!dev) { err = -ENODEV; goto err; } udp_conf.family = AF_INET;
+ show +
35
36
37
38
39
40
udp_conf.local_ip.s_addr = htonl(INADDR_ANY); udp_conf.use_udp_checksums = false; ub->ifindex = dev->ifindex; b->mtu = dev->mtu - sizeof(struct iphdr) - sizeof(struct udphdr); #if IS_ENABLED(CONFIG_IPV6)
+ show +
41
42
43
44
45
46
47
48
49
50
} else if (local.proto == htons(ETH_P_IPV6)) { udp_conf.family = AF_INET6; udp_conf.use_udp6_tx_checksums = true; udp_conf.use_udp6_rx_checksums = true; udp_conf.local_ip6 = in6addr_any; b->mtu = 1280; #endif } else { err = -EAFNOSUPPORT; goto err;

[linux_CVE-2016-8650_1479993790_mpi_powm.diff] mpi_powm_OLD.c #1
if (!esize) { /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0 * depending on if MOD equals 1. */ - rp[0] = 1; res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1; + if (res->nlimbs) { + if (mpi_resize(res, 1) < 0) + goto enomem; + rp = res->d; + rp[0] = 1; + } res->sign = 0; goto leave; }
.\cloneFuncs\totalClone\Type-1\CVE-2016-8650_before_imd_1347538173_mpi_powm.c
19
20
21
22
23
24
25
26
27
28
size = 2 * msize; esign = exp->sign; msign = mod->sign; rp = res->d; ep = exp->d; if (!msize) return -EINVAL;
+ show +
29
30
31
32
33
34
35
36
if (!esize) { /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0 * depending on if MOD equals 1. */ rp[0] = 1; res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1; res->sign = 0; goto leave; }
+ show +
37
38
39
40
41
42
43
44
45
46
/* Normalize MOD (i.e. make its most significant bit set) as required by * mpn_divrem. This will make the intermediate values in the calculation * slightly larger, but the correct result is obtained after a final * reduction using the original MOD value. */ mp = mp_marker = mpi_alloc_limb_space(msize); if (!mp) goto enomem; mod_shift_cnt = count_leading_zeros(mod->d[msize - 1]); if (mod_shift_cnt)
.\cloneFuncs\totalClone\Type-2\CVE-2016-8650_before_1mo_1327598001_mpi_powm.c
19
20
21
22
23
24
25
26
27
28
size = 2 * msize; esign = exp->sign; msign = mod->sign; rp = res->d; ep = exp->d; if (!msize) return -EINVAL;
+ show +
29
30
31
32
33
34
35
36
if (!esize) { /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0 * depending on if MOD equals 1. */ rp[0] = 1; res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1; res->sign = 0; goto leave; }
+ show +
37
38
39
40
41
42
43
44
45
46
/* Normalize MOD (i.e. make its most significant bit set) as required by * mpn_divrem. This will make the intermediate values in the calculation * slightly larger, but the correct result is obtained after a final * reduction using the original MOD value. */ mp = mp_marker = mpi_alloc_limb_space(msize); if (!mp) goto enomem; count_leading_zeros(mod_shift_cnt, mod->d[msize - 1]); if (mod_shift_cnt)
.\cloneFuncs\totalClone\Type-2\CVE-2016-8650_before_6mo_1314788716_mpi_powm.c
19
20
21
22
23
24
25
26
27
28
size = 2 * msize; esign = exp->sign; msign = mod->sign; rp = res->d; ep = exp->d; if (!msize) msize = 1 / msize; /* provoke a signal */
+ show +
29
30
31
32
33
34
35
36
if (!esize) { /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0 * depending on if MOD equals 1. */ rp[0] = 1; res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1; res->sign = 0; goto leave; }
+ show +
37
38
39
40
41
42
43
44
45
46
/* Normalize MOD (i.e. make its most significant bit set) as required by * mpn_divrem. This will make the intermediate values in the calculation * slightly larger, but the correct result is obtained after a final * reduction using the original MOD value. */ mp = mp_marker = mpi_alloc_limb_space(msize); if (!mp) goto enomem; count_leading_zeros(mod_shift_cnt, mod->d[msize - 1]); if (mod_shift_cnt)

[linux_CVE-2016-9191_1483666352_proc_sys_readdir.diff] proc_sys_readdir_OLD.c #1
ctl_dir = container_of(head, struct ctl_dir, header); if (!dir_emit_dots(file, ctx)) - return 0; + goto out; pos = 2;
.\cloneFuncs\totalClone\Type-1\CVE-2016-9191_before_1mo_1476129889_proc_sys_readdir.c
2
3
4
5
6
7
8
9
10
11
{ struct ctl_table_header *head = grab_header(file_inode(file)); struct ctl_table_header *h = NULL; struct ctl_table *entry; struct ctl_dir *ctl_dir; unsigned long pos; if (IS_ERR(head)) return PTR_ERR(head);
+ show +
12
13
14
15
16
17
ctl_dir = container_of(head, struct ctl_dir, header); if (!dir_emit_dots(file, ctx)) return 0; pos = 2;
+ show +
18
19
20
21
22
23
24
25
26
27
for (first_entry(ctl_dir, &h, &entry); h; next_entry(&h, &entry)) { if (!scan(h, entry, &pos, file, ctx)) { sysctl_head_finish(h); break; } } sysctl_head_finish(head); return 0; }

[xen_CVE-2016-9377_1479819049_inject_swint.diff] inject_swint_OLD.c #1
{ if ( !in_realmode(ctxt, ops) ) { - unsigned int idte_size = (ctxt->addr_size == 64) ? 16 : 8; - unsigned int idte_offset = vector * idte_size; + unsigned int idte_size, idte_offset; struct segment_register idtr; uint32_t idte_ctl; + int lm = in_longmode(ctxt, ops); + + if ( lm < 0 ) + return X86EMUL_UNHANDLEABLE; + + idte_size = lm ? 16 : 8; + idte_offset = vector * idte_size; /* icebp sets the External Event bit despite being an instruction. */ error_code = (vector << 3) | ECODE_IDT |
.\cloneFuncs\totalClone\Type-1\CVE-2016-9377_before_1mo_1476446956_inject_swint.c
30
31
32
33
34
35
36
37
38
39
* descriptors. * * Any OS which would further fault during injection is going to receive a * double fault anyway, and won't be in a position to care that the * faulting eip is incorrect. */ if ( (ctxt->swint_emulate == x86_swint_emulate_all) || ((ctxt->swint_emulate == x86_swint_emulate_icebp) && (type == x86_swint_icebp)) )
+ show +
40
41
42
43
44
45
46
47
48
49
{ if ( !in_realmode(ctxt, ops) ) { unsigned int idte_size = (ctxt->addr_size == 64) ? 16 : 8; unsigned int idte_offset = vector * idte_size; struct segment_register idtr; uint32_t idte_ctl; /* icebp sets the External Event bit despite being an instruction. */ error_code = (vector << 3) | ECODE_IDT |
+ show +
50
51
52
53
54
55
56
57
58
59
(type == x86_swint_icebp ? ECODE_EXT : 0); /* * TODO - this does not cover the v8086 mode with CR4.VME case * correctly, but falls on the safe side from the point of view of * a 32bit OS. Someone with many TUITs can see about reading the * TSS Software Interrupt Redirection bitmap. */ if ( (ctxt->regs->eflags & EFLG_VM) && ((ctxt->regs->eflags & EFLG_IOPL) != EFLG_IOPL) )

[xen_CVE-2016-9377_1479819049_inject_swint.diff] inject_swint_OLD.c #2
* Should strictly speaking read all 8/16 bytes of an entry, * but we currently only care about the dpl and present bits. */ - ops->read(x86_seg_none, idtr.base + idte_offset + 4, - &idte_ctl, sizeof(idte_ctl), ctxt); + if ( (rc = ops->read(x86_seg_none, idtr.base + idte_offset + 4, + &idte_ctl, sizeof(idte_ctl), ctxt)) ) + goto done; /* Is this entry present? */ if ( !(idte_ctl & (1u << 15)) )
.\cloneFuncs\totalClone\Type-1\CVE-2016-9377_before_1mo_1476446956_inject_swint.c
61
62
63
64
65
66
67
68
69
70
fail_if(ops->read_segment == NULL); fail_if(ops->read == NULL); if ( (rc = ops->read_segment(x86_seg_idtr, &idtr, ctxt)) ) goto done; if ( (idte_offset + idte_size - 1) > idtr.limit ) goto raise_exn; /*
+ show +
71
72
73
74
75
76
77
78
* Should strictly speaking read all 8/16 bytes of an entry, * but we currently only care about the dpl and present bits. */ ops->read(x86_seg_none, idtr.base + idte_offset + 4, &idte_ctl, sizeof(idte_ctl), ctxt); /* Is this entry present? */ if ( !(idte_ctl & (1u << 15)) )
+ show +
79
80
81
82
83
84
85
86
87
88
{ fault_type = EXC_NP; goto raise_exn; } /* icebp counts as a hardware event, and bypasses the dpl check. */ if ( type != x86_swint_icebp ) { struct segment_register ss;

[xen_CVE-2016-9378_1479819076_svm_vmcb_dump.diff] svm_vmcb_dump_OLD.c #1
vmcb->tlb_control, (unsigned long long)vmcb->_vintr.bytes, (unsigned long long)vmcb->interrupt_shadow); + printk("eventinj %016"PRIx64", valid? %d, ec? %d, type %u, vector %#x\n", + vmcb->eventinj.bytes, vmcb->eventinj.fields.v, + vmcb->eventinj.fields.ev, vmcb->eventinj.fields.type, + vmcb->eventinj.fields.vector); printk("exitcode = %#Lx exitintinfo = %#Lx\n", (unsigned long long)vmcb->exitcode, (unsigned long long)vmcb->exitintinfo.bytes);
.\cloneFuncs\totalClone\Type-1\CVE-2016-9378_before_1mo_1361463166_svm_vmcb_dump.c
8
9
10
11
12
13
14
15
16
17
"exception_intercepts = %#x\n", vmcb->_cr_intercepts, vmcb->_dr_intercepts, vmcb->_exception_intercepts); printk("general1_intercepts = %#x general2_intercepts = %#x\n", vmcb->_general1_intercepts, vmcb->_general2_intercepts); printk("iopm_base_pa = %#Lx msrpm_base_pa = %#Lx tsc_offset = %#Lx\n", (unsigned long long)vmcb->_iopm_base_pa, (unsigned long long)vmcb->_msrpm_base_pa, (unsigned long long)vmcb->_tsc_offset); printk("tlb_control = %#x vintr = %#Lx interrupt_shadow = %#Lx\n",
+ show +
18
19
20
21
22
23
vmcb->tlb_control, (unsigned long long)vmcb->_vintr.bytes, (unsigned long long)vmcb->interrupt_shadow); printk("exitcode = %#Lx exitintinfo = %#Lx\n", (unsigned long long)vmcb->exitcode, (unsigned long long)vmcb->exitintinfo.bytes);
+ show +
24
25
26
27
28
29
30
31
32
33
printk("exitinfo1 = %#Lx exitinfo2 = %#Lx \n", (unsigned long long)vmcb->exitinfo1, (unsigned long long)vmcb->exitinfo2); printk("np_enable = %Lx guest_asid = %#x\n", (unsigned long long)vmcb->_np_enable, vmcb->_guest_asid); printk("cpl = %d efer = %#Lx star = %#Lx lstar = %#Lx\n", vmcb->_cpl, (unsigned long long)vmcb->_efer, (unsigned long long)vmcb->star, (unsigned long long)vmcb->lstar); printk("CR0 = 0x%016llx CR2 = 0x%016llx\n", (unsigned long long)vmcb->_cr0, (unsigned long long)vmcb->_cr2);

[qemu_CVE-2016-9381_1479819411_cpu_ioreq_move.diff] cpu_ioreq_move_OLD.c #1
trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr, req->data, req->count, req->size); + if (req->size > sizeof(req->data)) { + hw_error("MMIO: bad size (%u)", req->size); + } + if (!req->data_is_ptr) { if (req->dir == IOREQ_READ) { for (i = 0; i < req->count; i++) {
.\cloneFuncs\totalClone\Type-1\CVE-2016-9381_before_1mo_1470042985_cpu_ioreq_move.c
1
2
3
4
static void cpu_ioreq_move(ioreq_t *req) { uint32_t i;
+ show +
5
6
7
8
9
10
trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr, req->data, req->count, req->size); if (!req->data_is_ptr) { if (req->dir == IOREQ_READ) { for (i = 0; i < req->count; i++) {
+ show +
11
12
13
14
15
16
17
18
19
20
read_phys_req_item(req->addr, req, i, &req->data); } } else if (req->dir == IOREQ_WRITE) { for (i = 0; i < req->count; i++) { write_phys_req_item(req->addr, req, i, &req->data); } } } else { uint64_t tmp;

[qemu_CVE-2016-9381_1479819411_cpu_ioreq_pio.diff] cpu_ioreq_pio_OLD.c #1
trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr, req->data, req->count, req->size); + if (req->size > sizeof(uint32_t)) { + hw_error("PIO: bad size (%u)", req->size); + } + if (req->dir == IOREQ_READ) { if (!req->data_is_ptr) { req->data = do_inp(req->addr, req->size);
.\cloneFuncs\totalClone\Type-1\CVE-2016-9381_before_1mo_1470042985_cpu_ioreq_pio.c
1
2
3
4
static void cpu_ioreq_pio(ioreq_t *req) { uint32_t i;
+ show +
5
6
7
8
9
10
trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr, req->data, req->count, req->size); if (req->dir == IOREQ_READ) { if (!req->data_is_ptr) { req->data = do_inp(req->addr, req->size);
+ show +
11
12
13
14
15
16
17
18
19
20
trace_cpu_ioreq_pio_read_reg(req, req->data, req->addr, req->size); } else { uint32_t tmp; for (i = 0; i < req->count; i++) { tmp = do_inp(req->addr, req->size); write_phys_req_item(req->data, req, i, &tmp); } }

[xen_CVE-2016-9382_1479818744_hvm_task_switch.diff] hvm_task_switch_OLD.c #1
if ( rc != HVMCOPY_okay ) goto out; + if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) ) + goto out; if ( hvm_set_cr3(tss.cr3, 1) ) goto out;
.\cloneFuncs\totalClone\Type-1\CVE-2016-9382_before_1mo_1476971068_hvm_task_switch.c
113
114
115
116
117
118
119
120
121
122
prev_tr.base, &tss, sizeof(tss), PFEC_page_present); if ( rc != HVMCOPY_okay ) goto out; rc = hvm_copy_from_guest_virt( &tss, tr.base, sizeof(tss), PFEC_page_present); /* * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee * functions knew we want RO access. */
+ show +
123
124
125
126
127
128
if ( rc != HVMCOPY_okay ) goto out; if ( hvm_set_cr3(tss.cr3, 1) ) goto out;
+ show +
129
130
131
132
133
134
135
136
137
138
regs->eip = tss.eip; regs->eflags = tss.eflags | 2; regs->eax = tss.eax; regs->ecx = tss.ecx; regs->edx = tss.edx; regs->ebx = tss.ebx; regs->esp = tss.esp; regs->ebp = tss.ebp; regs->esi = tss.esi;
.\cloneFuncs\totalClone\Type-2\CVE-2016-9382_before_6mo_1463164721_hvm_task_switch.c
113
114
115
116
117
118
119
120
121
122
prev_tr.base, &tss, sizeof(tss), PFEC_page_present); if ( rc != HVMCOPY_okay ) goto out; rc = hvm_copy_from_guest_virt( &tss, tr.base, sizeof(tss), PFEC_page_present); /* * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee * functions knew we want RO access. */
+ show +
123
124
125
126
127
128
if ( rc != HVMCOPY_okay ) goto out; if ( hvm_set_cr3(tss.cr3, 1) ) goto out;
+ show +
129
130
131
132
133
134
135
136
137
138
regs->eip = tss.eip; regs->eflags = tss.eflags | 2; regs->eax = tss.eax; regs->ecx = tss.ecx; regs->edx = tss.edx; regs->ebx = tss.ebx; regs->esp = tss.esp; regs->ebp = tss.ebp; regs->esi = tss.esi;

[xen_CVE-2016-9382_1479818744_hvm_task_switch.diff] hvm_task_switch_OLD.c #2
} exn_raised = 0; - if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || - hvm_load_segment_selector(x86_seg_es, tss.es) || - hvm_load_segment_selector(x86_seg_cs, tss.cs) || - hvm_load_segment_selector(x86_seg_ss, tss.ss) || - hvm_load_segment_selector(x86_seg_ds, tss.ds) || - hvm_load_segment_selector(x86_seg_fs, tss.fs) || - hvm_load_segment_selector(x86_seg_gs, tss.gs) ) + if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) || + hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) || + hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) || + hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) || + hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) || + hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) ) exn_raised = 1; rc = hvm_copy_to_guest_virt(
.\cloneFuncs\totalClone\Type-1\CVE-2016-9382_before_1mo_1476971068_hvm_task_switch.c
135
136
137
138
139
140
141
142
143
144
regs->ebx = tss.ebx; regs->esp = tss.esp; regs->ebp = tss.ebp; regs->esi = tss.esi; regs->edi = tss.edi; if ( (taskswitch_reason == TSW_call_or_int) ) { regs->eflags |= X86_EFLAGS_NT; tss.back_link = prev_tr.sel;
+ show +
145
146
147
148
149
150
151
152
153
154
155
156
157
} exn_raised = 0; if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || hvm_load_segment_selector(x86_seg_es, tss.es) || hvm_load_segment_selector(x86_seg_cs, tss.cs) || hvm_load_segment_selector(x86_seg_ss, tss.ss) || hvm_load_segment_selector(x86_seg_ds, tss.ds) || hvm_load_segment_selector(x86_seg_fs, tss.fs) || hvm_load_segment_selector(x86_seg_gs, tss.gs) ) exn_raised = 1; rc = hvm_copy_to_guest_virt(
+ show +
158
159
160
161
162
163
164
165
166
167
tr.base, &tss, sizeof(tss), PFEC_page_present); if ( rc == HVMCOPY_bad_gva_to_gfn ) exn_raised = 1; else if ( rc != HVMCOPY_okay ) goto out; if ( (tss.trace & 1) && !exn_raised ) hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE); tr.attr.fields.type = 0xb; /* busy 32-bit tss */
.\cloneFuncs\totalClone\Type-2\CVE-2016-9382_before_6mo_1463164721_hvm_task_switch.c
135
136
137
138
139
140
141
142
143
144
regs->ebx = tss.ebx; regs->esp = tss.esp; regs->ebp = tss.ebp; regs->esi = tss.esi; regs->edi = tss.edi; if ( (taskswitch_reason == TSW_call_or_int) ) { regs->eflags |= X86_EFLAGS_NT; tss.back_link = prev_tr.sel;
+ show +
145
146
147
148
149
150
151
152
153
154
155
156
157
} exn_raised = 0; if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || hvm_load_segment_selector(x86_seg_es, tss.es) || hvm_load_segment_selector(x86_seg_cs, tss.cs) || hvm_load_segment_selector(x86_seg_ss, tss.ss) || hvm_load_segment_selector(x86_seg_ds, tss.ds) || hvm_load_segment_selector(x86_seg_fs, tss.fs) || hvm_load_segment_selector(x86_seg_gs, tss.gs) ) exn_raised = 1; rc = hvm_copy_to_guest_virt(
+ show +
158
159
160
161
162
163
164
165
166
167
tr.base, &tss, sizeof(tss), PFEC_page_present); if ( rc == HVMCOPY_bad_gva_to_gfn ) exn_raised = 1; else if ( rc != HVMCOPY_okay ) goto out; if ( (tss.trace & 1) && !exn_raised ) hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE); tr.attr.fields.type = 0xb; /* busy 32-bit tss */

[qemu_CVE-2016-9602_1495701014_handle_utimensat.diff] handle_utimensat_OLD.c #1
const struct timespec *buf) { int ret; -#ifdef CONFIG_UTIMENSAT int fd; struct handle_data *data = (struct handle_data *)ctx->private;
.\cloneFuncs\totalClone\Type-1\CVE-2016-9602_before_1mo_1465206754_handle_utimensat.c
1
static int handle_utimensat(FsContext *ctx, V9fsPath *fs_path,
+ show +
2
3
4
5
6
7
const struct timespec *buf) { int ret; #ifdef CONFIG_UTIMENSAT int fd; struct handle_data *data = (struct handle_data *)ctx->private;
+ show +
8
9
10
11
12
13
14
15
16
17
fd = open_by_handle(data->mountfd, fs_path->data, O_NONBLOCK); if (fd < 0) { return fd; } ret = futimens(fd, buf); close(fd); #else ret = -1; errno = ENOSYS;

[linux_CVE-2017-0786_1505206073_brcmf_cfg80211_escan_handler.diff] brcmf_cfg80211_escan_handler_OLD.c #1
struct brcmf_cfg80211_info *cfg = ifp->drvr->config; s32 status; struct brcmf_escan_result_le *escan_result_le; + u32 escan_buflen; struct brcmf_bss_info_le *bss_info_le; struct brcmf_bss_info_le *bss = NULL; u32 bi_length;
.\cloneFuncs\totalClone\Type-1\CVE-2017-0786_before_1mo_1501753079_brcmf_cfg80211_escan_handler.c
1
2
3
4
static s32 brcmf_cfg80211_escan_handler(struct brcmf_if *ifp, const struct brcmf_event_msg *e, void *data) {
+ show +
5
6
7
8
9
10
struct brcmf_cfg80211_info *cfg = ifp->drvr->config; s32 status; struct brcmf_escan_result_le *escan_result_le; struct brcmf_bss_info_le *bss_info_le; struct brcmf_bss_info_le *bss = NULL; u32 bi_length;
+ show +
11
12
13
14
15
16
17
18
19
20
struct brcmf_scan_results *list; u32 i; bool aborted; status = e->status; if (status == BRCMF_E_STATUS_ABORT) goto exit; if (!test_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status)) {
.\cloneFuncs\totalClone\Type-3\CVE-2017-0786_before_6mo_1488234602_brcmf_cfg80211_escan_handler.c
1
2
3
4
static s32 brcmf_cfg80211_escan_handler(struct brcmf_if *ifp, const struct brcmf_event_msg *e, void *data) {
+ show +
5
6
7
8
9
10
struct brcmf_cfg80211_info *cfg = ifp->drvr->config; s32 status; struct brcmf_escan_result_le *escan_result_le; struct brcmf_bss_info_le *bss_info_le; struct brcmf_bss_info_le *bss = NULL; u32 bi_length;
+ show +
11
12
13
14
15
16
17
18
19
20
struct brcmf_scan_results *list; u32 i; bool aborted; status = e->status; if (!test_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status)) { brcmf_err("scan not ready, bsscfgidx=%d\n", ifp->bsscfgidx); return -EPERM; }

[linux_CVE-2017-0786_1505206073_brcmf_cfg80211_escan_handler.diff] brcmf_cfg80211_escan_handler_OLD.c #2
if (status == BRCMF_E_STATUS_PARTIAL) { brcmf_dbg(SCAN, "ESCAN Partial result\n"); + if (e->datalen < sizeof(*escan_result_le)) { + brcmf_err("invalid event data length\n"); + goto exit; + } escan_result_le = (struct brcmf_escan_result_le *) data; if (!escan_result_le) { brcmf_err("Invalid escan result (NULL pointer)\n"); goto exit; } + escan_buflen = le32_to_cpu(escan_result_le->buflen); + if (escan_buflen > BRCMF_ESCAN_BUF_SIZE || + escan_buflen > e->datalen || + escan_buflen < sizeof(*escan_result_le)) { + brcmf_err("Invalid escan buffer length: %d\n", + escan_buflen); + goto exit; + } if (le16_to_cpu(escan_result_le->bss_count) != 1) { brcmf_err("Invalid bss_count %d: ignoring\n", escan_result_le->bss_count);
.\cloneFuncs\totalClone\Type-1\CVE-2017-0786_before_1mo_1501753079_brcmf_cfg80211_escan_handler.c
15
16
17
18
19
20
21
22
23
24
status = e->status; if (status == BRCMF_E_STATUS_ABORT) goto exit; if (!test_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status)) { brcmf_err("scan not ready, bsscfgidx=%d\n", ifp->bsscfgidx); return -EPERM; }
+ show +
25
26
27
28
29
30
31
32
33
34
if (status == BRCMF_E_STATUS_PARTIAL) { brcmf_dbg(SCAN, "ESCAN Partial result\n"); escan_result_le = (struct brcmf_escan_result_le *) data; if (!escan_result_le) { brcmf_err("Invalid escan result (NULL pointer)\n"); goto exit; } if (le16_to_cpu(escan_result_le->bss_count) != 1) { brcmf_err("Invalid bss_count %d: ignoring\n", escan_result_le->bss_count);
+ show +
35
36
37
38
39
40
41
42
43
44
goto exit; } bss_info_le = &escan_result_le->bss_info_le; if (brcmf_p2p_scan_finding_common_channel(cfg, bss_info_le)) goto exit; if (!cfg->int_escan_map && !cfg->scan_request) { brcmf_dbg(SCAN, "result without cfg80211 request\n"); goto exit;
.\cloneFuncs\totalClone\Type-3\CVE-2017-0786_before_6mo_1488234602_brcmf_cfg80211_escan_handler.c
12
13
14
15
16
17
18
19
20
21
u32 i; bool aborted; status = e->status; if (!test_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status)) { brcmf_err("scan not ready, bsscfgidx=%d\n", ifp->bsscfgidx); return -EPERM; }
+ show +
22
23
24
25
26
27
28
29
30
31
if (status == BRCMF_E_STATUS_PARTIAL) { brcmf_dbg(SCAN, "ESCAN Partial result\n"); escan_result_le = (struct brcmf_escan_result_le *) data; if (!escan_result_le) { brcmf_err("Invalid escan result (NULL pointer)\n"); goto exit; } if (le16_to_cpu(escan_result_le->bss_count) != 1) { brcmf_err("Invalid bss_count %d: ignoring\n", escan_result_le->bss_count);
+ show +
32
33
34
35
36
37
38
39
40
41
goto exit; } bss_info_le = &escan_result_le->bss_info_le; if (brcmf_p2p_scan_finding_common_channel(cfg, bss_info_le)) goto exit; if (!cfg->internal_escan && !cfg->scan_request) { brcmf_dbg(SCAN, "result without cfg80211 request\n"); goto exit;

[linux_CVE-2017-0786_1505206073_brcmf_cfg80211_escan_handler.diff] brcmf_cfg80211_escan_handler_OLD.c #3
} bi_length = le32_to_cpu(bss_info_le->length); - if (bi_length != (le32_to_cpu(escan_result_le->buflen) - - WL_ESCAN_RESULTS_FIXED_SIZE)) { - brcmf_err("Invalid bss_info length %d: ignoring\n", + if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) { + brcmf_err("Ignoring invalid bss_info length: %d\n", bi_length); goto exit; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-0786_before_1mo_1501753079_brcmf_cfg80211_escan_handler.c
35
36
37
38
39
40
41
42
43
44
goto exit; } bss_info_le = &escan_result_le->bss_info_le; if (brcmf_p2p_scan_finding_common_channel(cfg, bss_info_le)) goto exit; if (!cfg->int_escan_map && !cfg->scan_request) { brcmf_dbg(SCAN, "result without cfg80211 request\n"); goto exit;
+ show +
45
46
47
48
49
50
51
52
53
} bi_length = le32_to_cpu(bss_info_le->length); if (bi_length != (le32_to_cpu(escan_result_le->buflen) - WL_ESCAN_RESULTS_FIXED_SIZE)) { brcmf_err("Invalid bss_info length %d: ignoring\n", bi_length); goto exit; }
+ show +
54
55
56
57
58
59
60
61
62
63
if (!(cfg_to_wiphy(cfg)->interface_modes & BIT(NL80211_IFTYPE_ADHOC))) { if (le16_to_cpu(bss_info_le->capability) & WLAN_CAPABILITY_IBSS) { brcmf_err("Ignoring IBSS result\n"); goto exit; } }
.\cloneFuncs\totalClone\Type-3\CVE-2017-0786_before_6mo_1488234602_brcmf_cfg80211_escan_handler.c
32
33
34
35
36
37
38
39
40
41
goto exit; } bss_info_le = &escan_result_le->bss_info_le; if (brcmf_p2p_scan_finding_common_channel(cfg, bss_info_le)) goto exit; if (!cfg->internal_escan && !cfg->scan_request) { brcmf_dbg(SCAN, "result without cfg80211 request\n"); goto exit;
+ show +
42
43
44
45
46
47
48
49
50
} bi_length = le32_to_cpu(bss_info_le->length); if (bi_length != (le32_to_cpu(escan_result_le->buflen) - WL_ESCAN_RESULTS_FIXED_SIZE)) { brcmf_err("Invalid bss_info length %d: ignoring\n", bi_length); goto exit; }
+ show +
51
52
53
54
55
56
57
58
59
60
if (!(cfg_to_wiphy(cfg)->interface_modes & BIT(NL80211_IFTYPE_ADHOC))) { if (le16_to_cpu(bss_info_le->capability) & WLAN_CAPABILITY_IBSS) { brcmf_err("Ignoring IBSS result\n"); goto exit; } }

[linux_CVE-2017-0861_1512494215_snd_pcm_control_ioctl.diff] snd_pcm_control_ioctl_OLD.c #1
err = -ENXIO; goto _error; } + mutex_lock(&pcm->open_mutex); err = snd_pcm_info_user(substream, info); + mutex_unlock(&pcm->open_mutex); _error: mutex_unlock(®ister_mutex); return err;
.\cloneFuncs\totalClone\Type-1\CVE-2017-0861_before_1mo_1508233255_snd_pcm_control_ioctl.c
48
49
50
51
52
53
54
55
56
57
} if (subdevice >= pstr->substream_count) { err = -ENXIO; goto _error; } for (substream = pstr->substream; substream; substream = substream->next) if (substream->number == (int)subdevice) break; if (substream == NULL) {
+ show +
58
59
60
61
62
63
64
err = -ENXIO; goto _error; } err = snd_pcm_info_user(substream, info); _error: mutex_unlock(&register_mutex); return err;
+ show +
65
66
67
68
69
70
71
72
73
74
} case SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE: { int val; if (get_user(val, (int __user *)arg)) return -EFAULT; control->preferred_subdevice[SND_CTL_SUBDEV_PCM] = val; return 0; }

[linux_CVE-2017-1000252_1504807350_vmx_update_pi_irte.diff] vmx_update_pi_irte_OLD.c #1
struct kvm_lapic_irq irq; struct kvm_vcpu *vcpu; struct vcpu_data vcpu_info; - int idx, ret = -EINVAL; + int idx, ret = 0; if (!kvm_arch_has_assigned_device(kvm) || !irq_remapping_cap(IRQ_POSTING_CAP) ||
.\cloneFuncs\totalClone\Type-1\CVE-2017-1000252_before_1mo_1502165133_vmx_update_pi_irte.c
1
2
3
4
5
static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq, uint32_t guest_irq, bool set) { struct kvm_kernel_irq_routing_entry *e; struct kvm_irq_routing_table *irq_rt;
+ show +
6
7
8
9
10
11
12
struct kvm_lapic_irq irq; struct kvm_vcpu *vcpu; struct vcpu_data vcpu_info; int idx, ret = -EINVAL; if (!kvm_arch_has_assigned_device(kvm) || !irq_remapping_cap(IRQ_POSTING_CAP) ||
+ show +
13
14
15
16
17
18
19
20
21
22
!kvm_vcpu_apicv_active(kvm->vcpus[0])) return 0; idx = srcu_read_lock(&kvm->irq_srcu); irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu); BUG_ON(guest_irq >= irq_rt->nr_rt_entries); hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) { if (e->type != KVM_IRQ_ROUTING_MSI) continue;

[linux_CVE-2017-1000252_1504807350_vmx_update_pi_irte.diff] vmx_update_pi_irte_OLD.c #2
idx = srcu_read_lock(&kvm->irq_srcu); irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu); - BUG_ON(guest_irq >= irq_rt->nr_rt_entries); + if (guest_irq >= irq_rt->nr_rt_entries || + hlist_empty(&irq_rt->map[guest_irq])) { + pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n", + guest_irq, irq_rt->nr_rt_entries); + goto out; + } hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) { if (e->type != KVM_IRQ_ROUTING_MSI)
.\cloneFuncs\totalClone\Type-1\CVE-2017-1000252_before_1mo_1502165133_vmx_update_pi_irte.c
6
7
8
9
10
11
12
13
14
15
struct kvm_lapic_irq irq; struct kvm_vcpu *vcpu; struct vcpu_data vcpu_info; int idx, ret = -EINVAL; if (!kvm_arch_has_assigned_device(kvm) || !irq_remapping_cap(IRQ_POSTING_CAP) || !kvm_vcpu_apicv_active(kvm->vcpus[0])) return 0;
+ show +
16
17
18
19
20
21
idx = srcu_read_lock(&kvm->irq_srcu); irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu); BUG_ON(guest_irq >= irq_rt->nr_rt_entries); hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) { if (e->type != KVM_IRQ_ROUTING_MSI)
+ show +
22
23
24
25
26
27
28
29
30
31
continue; /* * VT-d PI cannot support posting multicast/broadcast * interrupts to a vCPU, we still use interrupt remapping * for these kind of interrupts. * * For lowest-priority interrupts, we only support * those with single CPU as the destination, e.g. user * configures the interrupts via /proc/irq or uses * irqbalance to make the interrupts single-CPU.

[linux_CVE-2017-1000253_1523403361_load_elf_interp.diff] load_elf_interp_OLD.c #1
elf_prot |= PROT_EXEC; vaddr = eppnt->p_vaddr; if (interp_elf_ex->e_type == ET_EXEC || load_addr_set) - elf_type |= MAP_FIXED; + elf_type |= MAP_FIXED_NOREPLACE; else if (no_base && interp_elf_ex->e_type == ET_DYN) load_addr = -vaddr;
.\cloneFuncs\totalClone\Type-1\CVE-2017-1000253_before_1mo_1517960353_load_elf_interp.c
34
35
36
37
38
39
40
41
42
43
int elf_type = MAP_PRIVATE | MAP_DENYWRITE; int elf_prot = 0; unsigned long vaddr = 0; unsigned long k, map_addr; if (eppnt->p_flags & PF_R) elf_prot = PROT_READ; if (eppnt->p_flags & PF_W) elf_prot |= PROT_WRITE; if (eppnt->p_flags & PF_X)
+ show +
44
45
46
47
48
49
elf_prot |= PROT_EXEC; vaddr = eppnt->p_vaddr; if (interp_elf_ex->e_type == ET_EXEC || load_addr_set) elf_type |= MAP_FIXED; else if (no_base && interp_elf_ex->e_type == ET_DYN) load_addr = -vaddr;
+ show +
50
51
52
53
54
55
56
57
58
59
map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type, total_size); total_size = 0; if (!*interp_map_addr) *interp_map_addr = map_addr; error = map_addr; if (BAD_ADDR(map_addr)) goto out;

[linux_CVE-2017-1000253_1523403361_load_elf_library.diff] load_elf_library_OLD.c #1
(eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr)), PROT_READ | PROT_WRITE | PROT_EXEC, - MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE, + MAP_FIXED_NOREPLACE | MAP_PRIVATE | MAP_DENYWRITE, (eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr))); if (error != ELF_PAGESTART(eppnt->p_vaddr))
.\cloneFuncs\totalClone\Type-1\CVE-2017-1000253_before_1mo_1517960353_load_elf_library.c
44
45
46
47
48
49
50
51
52
53
j++; if (j != 1) goto out_free_ph; while (eppnt->p_type != PT_LOAD) eppnt++; /* Now use mmap to map the library into memory. */ error = vm_mmap(file, ELF_PAGESTART(eppnt->p_vaddr),
+ show +
54
55
56
57
58
59
60
(eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr)), PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE, (eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr))); if (error != ELF_PAGESTART(eppnt->p_vaddr))
+ show +
61
62
63
64
65
66
67
68
69
70
goto out_free_ph; elf_bss = eppnt->p_vaddr + eppnt->p_filesz; if (padzero(elf_bss)) { error = -EFAULT; goto out_free_ph; } len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);

[linux_CVE-2017-1000410_1512742487_l2cap_parse_conf_req.diff] l2cap_parse_conf_req_OLD.c #1
break; case L2CAP_CONF_EFS: - remote_efs = 1; - if (olen == sizeof(efs)) + if (olen == sizeof(efs)) { + remote_efs = 1; memcpy(&efs, (void *) val, olen); + } break; case L2CAP_CONF_EWS:
.\cloneFuncs\totalClone\Type-1\CVE-2017-1000410_before_imd_1504991759_l2cap_parse_conf_req.c
35
36
37
38
39
40
41
42
43
44
break; case L2CAP_CONF_RFC: if (olen == sizeof(rfc)) memcpy(&rfc, (void *) val, olen); break; case L2CAP_CONF_FCS: if (val == L2CAP_FCS_NONE) set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
+ show +
45
46
47
48
49
50
51
52
53
break; case L2CAP_CONF_EFS: remote_efs = 1; if (olen == sizeof(efs)) memcpy(&efs, (void *) val, olen); break; case L2CAP_CONF_EWS:
+ show +
54
55
56
57
58
59
60
61
62
63
if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP)) return -ECONNREFUSED; set_bit(FLAG_EXT_CTRL, &chan->flags); set_bit(CONF_EWS_RECV, &chan->conf_state); chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; chan->remote_tx_win = val; break; default:
.\cloneFuncs\totalClone\Type-3\CVE-2017-1000410_before_1mo_1497616161_l2cap_parse_conf_req.c
34
35
36
37
38
39
40
41
42
43
break; case L2CAP_CONF_RFC: if (olen == sizeof(rfc)) memcpy(&rfc, (void *) val, olen); break; case L2CAP_CONF_FCS: if (val == L2CAP_FCS_NONE) set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
+ show +
44
45
46
47
48
49
50
51
52
break; case L2CAP_CONF_EFS: remote_efs = 1; if (olen == sizeof(efs)) memcpy(&efs, (void *) val, olen); break; case L2CAP_CONF_EWS:
+ show +
53
54
55
56
57
58
59
60
61
62
if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP)) return -ECONNREFUSED; set_bit(FLAG_EXT_CTRL, &chan->flags); set_bit(CONF_EWS_RECV, &chan->conf_state); chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; chan->remote_tx_win = val; break; default:

[tcpdump_CVE-2017-11108_1486164858_stp_print.diff] stp_print_OLD.c #1
if (stp_bpdu->protocol_version == STP_PROTO_SPB) { /* Validate v4 length */ + ND_TCHECK_16BITS(p + MST_BPDU_VER3_LEN_OFFSET + mstp_len); spb_len = EXTRACT_16BITS (p + MST_BPDU_VER3_LEN_OFFSET + mstp_len); spb_len += 2; if (length < (sizeof(struct stp_bpdu_) + mstp_len + spb_len) ||
.\cloneFuncs\totalClone\Type-1\CVE-2017-11108_before_imd_1447688949_stp_print.c
66
67
68
69
70
71
72
73
74
75
/* Validate v3 length */ ND_TCHECK_16BITS(p + MST_BPDU_VER3_LEN_OFFSET); mstp_len = EXTRACT_16BITS(p + MST_BPDU_VER3_LEN_OFFSET); mstp_len += 2; /* length encoding itself is 2 bytes */ if (length < (sizeof(struct stp_bpdu_) + mstp_len)) { goto trunc; } if (!stp_print_mstp_bpdu(ndo, stp_bpdu, length)) goto trunc;
+ show +
76
77
78
79
80
81
if (stp_bpdu->protocol_version == STP_PROTO_SPB) { /* Validate v4 length */ spb_len = EXTRACT_16BITS (p + MST_BPDU_VER3_LEN_OFFSET + mstp_len); spb_len += 2; if (length < (sizeof(struct stp_bpdu_) + mstp_len + spb_len) ||
+ show +
82
83
84
85
86
87
88
89
90
91
spb_len < SPB_BPDU_MIN_LEN) { goto trunc; } if (!stp_print_spb_bpdu(ndo, stp_bpdu, (sizeof(struct stp_bpdu_) + mstp_len))) goto trunc; } } break; case STP_BPDU_TYPE_TOPO_CHANGE:
.\cloneFuncs\totalClone\Type-3\CVE-2017-11108_before_1mo_1471267648_stp_print.c
58
59
60
61
62
63
64
65
66
67
} /* Validate v3 length */ mstp_len = EXTRACT_16BITS(p + MST_BPDU_VER3_LEN_OFFSET); mstp_len += 2; /* length encoding itself is 2 bytes */ if (length < (sizeof(struct stp_bpdu_) + mstp_len)) { goto trunc; } stp_print_mstp_bpdu(ndo, stp_bpdu, length);
+ show +
68
69
70
71
72
73
if (stp_bpdu->protocol_version == STP_PROTO_SPB) { /* Validate v4 length */ spb_len = EXTRACT_16BITS (p + MST_BPDU_VER3_LEN_OFFSET + mstp_len); spb_len += 2; if (length < (sizeof(struct stp_bpdu_) + mstp_len + spb_len) ||
+ show +
74
75
76
77
78
79
80
81
82
83
spb_len < SPB_BPDU_MIN_LEN) { goto trunc; } stp_print_spb_bpdu(ndo, stp_bpdu, (sizeof(struct stp_bpdu_) + mstp_len)); } } break; case STP_BPDU_TYPE_TOPO_CHANGE: /* always empty message - just break out */

[tcpdump_CVE-2017-11108_1486164858_stp_print_mstp_bpdu.diff] stp_print_mstp_bpdu_OLD.c #1
return 1; } + ND_TCHECK(stp_bpdu->flags); ND_PRINT((ndo, "\n\tport-role %s, ", tok2str(rstp_obj_port_role_values, "Unknown", RSTP_EXTRACT_PORT_ROLE(stp_bpdu->flags))));
.\cloneFuncs\totalClone\Type-1\CVE-2017-11108_before_imd_1447688949_stp_print_mstp_bpdu.c
9
10
11
12
13
14
15
16
17
18
u_int offset; ptr = (const u_char *)stp_bpdu; ND_PRINT((ndo, ", CIST Flags [%s], length %u", bittok2str(stp_bpdu_flag_values, "none", stp_bpdu->flags), length)); /* * in non-verbose mode just print the flags. */ if (!ndo->ndo_vflag) {
+ show +
19
20
21
22
23
24
return 1; } ND_PRINT((ndo, "\n\tport-role %s, ", tok2str(rstp_obj_port_role_values, "Unknown", RSTP_EXTRACT_PORT_ROLE(stp_bpdu->flags))));
+ show +
25
26
27
28
29
30
31
32
33
34
ND_TCHECK(stp_bpdu->root_path_cost); ND_PRINT((ndo, "CIST root-id %s, CIST ext-pathcost %u", stp_print_bridge_id((const u_char *)&stp_bpdu->root_id), EXTRACT_32BITS(&stp_bpdu->root_path_cost))); ND_TCHECK(stp_bpdu->bridge_id); ND_PRINT((ndo, "\n\tCIST regional-root-id %s, ", stp_print_bridge_id((const u_char *)&stp_bpdu->bridge_id)));

[qemu_CVE-2017-11434_1500293006_dhcp_decode.diff] dhcp_decode_OLD.c #1
if (p >= p_end) break; len = *p++; + if (p + len > p_end) { + break; + } DPRINTF("dhcp: tag=%d len=%d\n", tag, len); switch(tag) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-11434_before_1mo_1454089799_dhcp_decode.c
13
14
15
16
17
18
19
20
21
22
return; p += 4; while (p < p_end) { tag = p[0]; if (tag == RFC1533_PAD) { p++; } else if (tag == RFC1533_END) { break; } else { p++;
+ show +
23
24
25
26
27
28
if (p >= p_end) break; len = *p++; DPRINTF("dhcp: tag=%d len=%d\n", tag, len); switch(tag) {
+ show +
29
30
31
32
33
34
35
36
37
38
case RFC2132_MSG_TYPE: if (len >= 1) *pmsg_type = p[0]; break; case RFC2132_REQ_ADDR: if (len >= 4) { memcpy(&(preq_addr->s_addr), p, 4); } break; default:

[tcpdump_CVE-2017-13030_1490216968_pimv1_print.diff] pimv1_print_OLD.c #1
pimv1_print(netdissect_options *ndo, register const u_char *bp, register u_int len) { - register const u_char *ep; register u_char type; - ep = (const u_char *)ndo->ndo_snapend; - if (bp >= ep) - return; - ND_TCHECK(bp[1]); type = bp[1];
.\cloneFuncs\totalClone\Type-1\CVE-2017-11542_after_imd_1487014285_pimv1_print.c
1
void
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
pimv1_print(netdissect_options *ndo, register const u_char *bp, register u_int len) { register const u_char *ep; register u_char type; ep = (const u_char *)ndo->ndo_snapend; if (bp >= ep) return; ND_TCHECK(bp[1]); type = bp[1];
+ show +
14
15
16
17
18
19
20
21
22
23
ND_PRINT((ndo, " %s", tok2str(pimv1_type_str, "[type %u]", type))); switch (type) { case PIMV1_TYPE_QUERY: if (ND_TTEST(bp[8])) { switch (bp[8] >> 4) { case 0: ND_PRINT((ndo, " Dense-mode")); break; case 1:
.\cloneFuncs\totalClone\Type-1\CVE-2017-11542_before_imd_1439063616_pimv1_print.c
1
void
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
pimv1_print(netdissect_options *ndo, register const u_char *bp, register u_int len) { register const u_char *ep; register u_char type; ep = (const u_char *)ndo->ndo_snapend; if (bp >= ep) return; ND_TCHECK(bp[1]); type = bp[1];
+ show +
14
15
16
17
18
19
20
21
22
23
ND_PRINT((ndo, " %s", tok2str(pimv1_type_str, "[type %u]", type))); switch (type) { case PIMV1_TYPE_QUERY: if (ND_TTEST(bp[8])) { switch (bp[8] >> 4) { case 0: ND_PRINT((ndo, " Dense-mode")); break; case 1:
.\cloneFuncs\totalClone\Type-2\CVE-2017-11542_before_1mo_1471182139_pimv1_print.c
1
void
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
pimv1_print(netdissect_options *ndo, register const u_char *bp, register u_int len) { register const u_char *ep; register u_char type; ep = (const u_char *)ndo->ndo_snapend; if (bp >= ep) return; ND_TCHECK(bp[1]); type = bp[1];
+ show +
14
15
16
17
18
19
20
21
22
23
ND_PRINT((ndo, " %s", tok2str(pimv1_type_str, "[type %u]", type))); switch (type) { case PIMV1_TYPE_QUERY: if (ND_TTEST(bp[8])) { switch (bp[8] >> 4) { case 0: ND_PRINT((ndo, " Dense-mode")); break; case 1:

[tcpdump_CVE-2017-13030_1490216968_pimv1_print.diff] pimv1_print_OLD.c #2
case PIMV1_TYPE_JOIN_PRUNE: case PIMV1_TYPE_GRAFT: case PIMV1_TYPE_GRAFT_ACK: - if (ndo->ndo_vflag) + if (ndo->ndo_vflag) { + if (len < 8) + goto trunc; pimv1_join_prune_print(ndo, &bp[8], len - 8); + } break; } ND_TCHECK(bp[4]);
.\cloneFuncs\totalClone\Type-1\CVE-2017-11542_after_imd_1487014285_pimv1_print.c
64
65
66
67
68
69
70
71
72
73
ND_PRINT((ndo, " for %s > %s", ipaddr_string(ndo, &bp[16]), ipaddr_string(ndo, &bp[8]))); if (EXTRACT_32BITS(&bp[12]) != 0xffffffff) ND_PRINT((ndo, "/%s", ipaddr_string(ndo, &bp[12]))); ND_TCHECK2(bp[24], 4); ND_PRINT((ndo, " %s pref %d metric %d", (bp[20] & 0x80) ? "RP-tree" : "SPT", EXTRACT_32BITS(&bp[20]) & 0x7fffffff, EXTRACT_32BITS(&bp[24]))); break;
+ show +
74
75
76
77
78
79
80
81
case PIMV1_TYPE_JOIN_PRUNE: case PIMV1_TYPE_GRAFT: case PIMV1_TYPE_GRAFT_ACK: if (ndo->ndo_vflag) pimv1_join_prune_print(ndo, &bp[8], len - 8); break; } ND_TCHECK(bp[4]);
+ show +
82
83
84
85
86
87
88
89
if ((bp[4] >> 4) != 1) ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); return; trunc: ND_PRINT((ndo, "[|pim]")); return; }

[tcpdump_CVE-2017-11542_1486494604_pimv1_print.diff] pimv1_print_OLD.c #1
pimv1_join_prune_print(ndo, &bp[8], len - 8); break; } + ND_TCHECK(bp[4]); if ((bp[4] >> 4) != 1) ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); return;
.\cloneFuncs\totalClone\Type-1\CVE-2017-11542_before_imd_1439063616_pimv1_print.c
68
69
70
71
72
73
74
75
76
77
ND_TCHECK2(bp[24], 4); ND_PRINT((ndo, " %s pref %d metric %d", (bp[20] & 0x80) ? "RP-tree" : "SPT", EXTRACT_32BITS(&bp[20]) & 0x7fffffff, EXTRACT_32BITS(&bp[24]))); break; case PIMV1_TYPE_JOIN_PRUNE: case PIMV1_TYPE_GRAFT: case PIMV1_TYPE_GRAFT_ACK: if (ndo->ndo_vflag)
+ show +
78
79
80
81
82
83
pimv1_join_prune_print(ndo, &bp[8], len - 8); break; } if ((bp[4] >> 4) != 1) ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); return;
+ show +
84
85
86
87
88
trunc: ND_PRINT((ndo, "[|pim]")); return; }
.\cloneFuncs\totalClone\Type-2\CVE-2017-11542_before_1mo_1471182139_pimv1_print.c
68
69
70
71
72
73
74
75
76
77
ND_TCHECK2(bp[24], 4); ND_PRINT((ndo, " %s pref %d metric %d", (bp[20] & 0x80) ? "RP-tree" : "SPT", EXTRACT_32BITS(&bp[20]) & 0x7fffffff, EXTRACT_32BITS(&bp[24]))); break; case PIMV1_TYPE_JOIN_PRUNE: case PIMV1_TYPE_GRAFT: case PIMV1_TYPE_GRAFT_ACK: if (ndo->ndo_vflag)
+ show +
78
79
80
81
82
83
pimv1_join_prune_print(ndo, &bp[8], len - 8); break; } if ((bp[4] >> 4) != 1) ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); return;
+ show +
84
85
86
87
88
trunc: ND_PRINT((ndo, "[|pim]")); return; }

[tcpdump_CVE-2017-11543_1489780144_sliplink_print.diff] sliplink_print_OLD.c #1
u_int hlen; dir = p[SLX_DIR]; - ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); + switch (dir) { + case SLIPDIR_IN: + ND_PRINT((ndo, "I ")); + break; + + case SLIPDIR_OUT: + ND_PRINT((ndo, "O ")); + break; + + default: + ND_PRINT((ndo, "Invalid direction %d ", dir)); + dir = -1; + break; + } if (ndo->ndo_nflag) { /* XXX just dump the header */ register int i;
.\cloneFuncs\totalClone\Type-1\CVE-2017-11543_before_1mo_1471182139_sliplink_print.c
1
2
3
4
5
6
static void sliplink_print(netdissect_options *ndo, register const u_char *p, register const struct ip *ip, register u_int length) { int dir;
+ show +
7
8
9
10
11
12
13
14
u_int hlen; dir = p[SLX_DIR]; ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); if (ndo->ndo_nflag) { /* XXX just dump the header */ register int i;
+ show +
15
16
17
18
19
20
21
22
23
24
for (i = SLX_CHDR; i < SLX_CHDR + CHDR_LEN - 1; ++i) ND_PRINT((ndo, "%02x.", p[i])); ND_PRINT((ndo, "%02x: ", p[SLX_CHDR + CHDR_LEN - 1])); return; } switch (p[SLX_CHDR] & 0xf0) { case TYPE_IP: ND_PRINT((ndo, "ip %d: ", length + SLIP_HDRLEN));

[linux_CVE-2017-11600_1501696214_xfrm_migrate.diff] xfrm_migrate_OLD.c #1
struct xfrm_state *x_new[XFRM_MAX_DEPTH]; struct xfrm_migrate *mp; + /* Stage 0 - sanity checks */ if ((err = xfrm_migrate_check(m, num_migrate)) < 0) goto out; + if (dir >= XFRM_POLICY_MAX) { + err = -EINVAL; + goto out; + } + /* Stage 1 - find policy */ if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { err = -ENOENT;
.\cloneFuncs\totalClone\Type-1\CVE-2017-11600_before_1mo_1498840988_xfrm_migrate.c
1
2
3
4
5
6
7
8
9
int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_migrate, struct xfrm_kmaddress *k, struct net *net, struct xfrm_encap_tmpl *encap) { int i, err, nx_cur = 0, nx_new = 0; struct xfrm_policy *pol = NULL; struct xfrm_state *x, *xc; struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
+ show +
10
11
12
13
14
15
16
17
18
struct xfrm_state *x_new[XFRM_MAX_DEPTH]; struct xfrm_migrate *mp; if ((err = xfrm_migrate_check(m, num_migrate)) < 0) goto out; /* Stage 1 - find policy */ if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { err = -ENOENT;
+ show +
19
20
21
22
23
24
25
26
27
28
goto out; } /* Stage 2 - find and update state(s) */ for (i = 0, mp = m; i < num_migrate; i++, mp++) { if ((x = xfrm_migrate_state_find(mp, net))) { x_cur[nx_cur] = x; nx_cur++; xc = xfrm_state_migrate(x, mp, encap); if (xc) {
.\cloneFuncs\totalClone\Type-3\CVE-2017-11600_before_6mo_1483460000_xfrm_migrate.c
1
2
3
4
5
6
7
8
int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_migrate, struct xfrm_kmaddress *k, struct net *net) { int i, err, nx_cur = 0, nx_new = 0; struct xfrm_policy *pol = NULL; struct xfrm_state *x, *xc; struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
+ show +
9
10
11
12
13
14
15
16
17
struct xfrm_state *x_new[XFRM_MAX_DEPTH]; struct xfrm_migrate *mp; if ((err = xfrm_migrate_check(m, num_migrate)) < 0) goto out; /* Stage 1 - find policy */ if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { err = -ENOENT;
+ show +
18
19
20
21
22
23
24
25
26
27
goto out; } /* Stage 2 - find and update state(s) */ for (i = 0, mp = m; i < num_migrate; i++, mp++) { if ((x = xfrm_migrate_state_find(mp, net))) { x_cur[nx_cur] = x; nx_cur++; if ((xc = xfrm_state_migrate(x, mp))) { x_new[nx_new] = xc;

[libtiff_CVE-2017-11613_1521275789_ChopUpSingleUncompressedStrip.diff] ChopUpSingleUncompressedStrip_OLD.c #1
/* file is as big as needed */ if( tif->tif_mode == O_RDONLY && nstrips > 1000000 && - (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) || - tif->tif_dir.td_stripbytecount[0] > - TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) ) + (offset >= TIFFGetFileSize(tif) || + stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) { return; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-11613_before_imd_1520763241_ChopUpSingleUncompressedStrip.c
46
47
48
49
50
51
52
53
54
55
/* * never increase the number of rows per strip */ if (rowsperstrip >= td->td_rowsperstrip) return; nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); if( nstrips == 0 ) return; /* If we are going to allocate a lot of memory, make sure that the */
+ show +
56
57
58
59
60
61
62
63
64
/* file is as big as needed */ if( tif->tif_mode == O_RDONLY && nstrips > 1000000 && (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) || tif->tif_dir.td_stripbytecount[0] > TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) ) { return; }
+ show +
65
66
67
68
69
70
71
72
73
74
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripByteCounts\" array"); newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripOffsets\" array"); if (newcounts == NULL || newoffsets == NULL) { /* * Unable to allocate new strip information, give up and use * the original one strip information. */

[xen_CVE-2017-12136_1502802445_get_maptrack_handle.diff] get_maptrack_handle_OLD.c #1
*/ if ( nr_maptrack_frames(lgt) >= max_maptrack_frames ) { - /* - * Can drop the lock since no other VCPU can be adding a new - * frame once they've run out. - */ spin_unlock(&lgt->maptrack_lock); /*
.\cloneFuncs\totalClone\Type-1\CVE-2017-12136_before_1mo_1498118108_get_maptrack_handle.c
9
10
11
12
13
14
15
16
17
18
handle = __get_maptrack_handle(lgt, curr); if ( likely(handle != -1) ) return handle; spin_lock(&lgt->maptrack_lock); /* * If we've run out of frames, try stealing an entry from another * VCPU (in case the guest isn't mapping across its VCPUs evenly).
+ show +
19
20
21
22
23
24
25
26
27
28
*/ if ( nr_maptrack_frames(lgt) >= max_maptrack_frames ) { /* * Can drop the lock since no other VCPU can be adding a new * frame once they've run out. */ spin_unlock(&lgt->maptrack_lock); /*
+ show +
29
30
31
32
33
34
35
36
37
38
* Uninitialized free list? Steal an extra entry for the tail * sentinel. */ if ( curr->maptrack_tail == MAPTRACK_TAIL ) { handle = steal_maptrack_handle(lgt, curr); if ( handle == -1 ) return -1; curr->maptrack_tail = handle; write_atomic(&curr->maptrack_head, handle);
.\cloneFuncs\totalClone\Type-3\CVE-2017-12136_before_6mo_1486155071_get_maptrack_handle.c
9
10
11
12
13
14
15
16
17
18
handle = __get_maptrack_handle(lgt, curr); if ( likely(handle != -1) ) return handle; spin_lock(&lgt->maptrack_lock); /* * If we've run out of frames, try stealing an entry from another * VCPU (in case the guest isn't mapping across its VCPUs evenly).
+ show +
19
20
21
22
23
24
25
26
27
28
*/ if ( nr_maptrack_frames(lgt) >= max_maptrack_frames ) { /* * Can drop the lock since no other VCPU can be adding a new * frame once they've run out. */ spin_unlock(&lgt->maptrack_lock); /*
+ show +
29
30
31
32
33
34
35
36
37
38
* Uninitialized free list? Steal an extra entry for the tail * sentinel. */ if ( curr->maptrack_tail == MAPTRACK_TAIL ) { handle = steal_maptrack_handle(lgt, curr); if ( handle == -1 ) return -1; curr->maptrack_tail = handle; write_atomic(&curr->maptrack_head, handle);

[xen_CVE-2017-12136_1502802445_get_maptrack_handle.diff] get_maptrack_handle_OLD.c #2
handle = steal_maptrack_handle(lgt, curr); if ( handle == -1 ) return -1; + spin_lock(&curr->maptrack_freelist_lock); + maptrack_entry(lgt, handle).ref = MAPTRACK_TAIL; curr->maptrack_tail = handle; - write_atomic(&curr->maptrack_head, handle); + if ( curr->maptrack_head == MAPTRACK_TAIL ) + write_atomic(&curr->maptrack_head, handle); + spin_unlock(&curr->maptrack_freelist_lock); } return steal_maptrack_handle(lgt, curr); }
.\cloneFuncs\totalClone\Type-1\CVE-2017-12136_before_1mo_1498118108_get_maptrack_handle.c
24
25
26
27
28
29
30
31
32
33
* frame once they've run out. */ spin_unlock(&lgt->maptrack_lock); /* * Uninitialized free list? Steal an extra entry for the tail * sentinel. */ if ( curr->maptrack_tail == MAPTRACK_TAIL ) {
+ show +
34
35
36
37
38
39
40
41
handle = steal_maptrack_handle(lgt, curr); if ( handle == -1 ) return -1; curr->maptrack_tail = handle; write_atomic(&curr->maptrack_head, handle); } return steal_maptrack_handle(lgt, curr); }
+ show +
42
43
44
45
46
47
48
49
50
51
new_mt = alloc_xenheap_page(); if ( !new_mt ) { spin_unlock(&lgt->maptrack_lock); return -1; } clear_page(new_mt); /*
.\cloneFuncs\totalClone\Type-3\CVE-2017-12136_before_6mo_1486155071_get_maptrack_handle.c
24
25
26
27
28
29
30
31
32
33
* frame once they've run out. */ spin_unlock(&lgt->maptrack_lock); /* * Uninitialized free list? Steal an extra entry for the tail * sentinel. */ if ( curr->maptrack_tail == MAPTRACK_TAIL ) {
+ show +
34
35
36
37
38
39
40
41
handle = steal_maptrack_handle(lgt, curr); if ( handle == -1 ) return -1; curr->maptrack_tail = handle; write_atomic(&curr->maptrack_head, handle); } return steal_maptrack_handle(lgt, curr); }
+ show +
42
43
44
45
46
47
48
49
50
51
new_mt = alloc_xenheap_page(); if ( !new_mt ) { spin_unlock(&lgt->maptrack_lock); return -1; } clear_page(new_mt); /*

[xen_CVE-2017-12136_1502802445_put_maptrack_handle.diff] put_maptrack_handle_OLD.c #1
/* 2. Add entry to the tail of the list on the original VCPU. */ v = currd->vcpu[maptrack_entry(t, handle).vcpu]; + spin_lock(&v->maptrack_freelist_lock); + cur_tail = read_atomic(&v->maptrack_tail); do { prev_tail = cur_tail;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12136_before_1mo_1498118108_put_maptrack_handle.c
2
3
4
5
6
7
8
9
10
11
put_maptrack_handle( struct grant_table *t, int handle) { struct domain *currd = current->domain; struct vcpu *v; unsigned int prev_tail, cur_tail; /* 1. Set entry to be a tail. */ maptrack_entry(t, handle).ref = MAPTRACK_TAIL;
+ show +
12
13
14
15
16
17
/* 2. Add entry to the tail of the list on the original VCPU. */ v = currd->vcpu[maptrack_entry(t, handle).vcpu]; cur_tail = read_atomic(&v->maptrack_tail); do { prev_tail = cur_tail;
+ show +
18
19
20
21
22
23
cur_tail = cmpxchg(&v->maptrack_tail, prev_tail, handle); } while ( cur_tail != prev_tail ); /* 3. Update the old tail entry to point to the new entry. */ write_atomic(&maptrack_entry(t, prev_tail).ref, handle); }

[xen_CVE-2017-12136_1502802445___get_maptrack_handle.diff] __get_maptrack_handle_OLD.c #1
{ unsigned int head, next, prev_head; + spin_lock(&v->maptrack_freelist_lock); + do { /* No maptrack pages allocated for this VCPU yet? */ head = read_atomic(&v->maptrack_head); if ( unlikely(head == MAPTRACK_TAIL) ) + { + spin_unlock(&v->maptrack_freelist_lock); return -1; + } /* * Always keep one entry in the free list to make it easier to
.\cloneFuncs\totalClone\Type-1\CVE-2017-12136_before_1mo_1498118108___get_maptrack_handle.c
1
2
3
4
static inline int __get_maptrack_handle( struct grant_table *t, struct vcpu *v)
+ show +
5
6
7
8
9
10
11
12
13
14
15
{ unsigned int head, next, prev_head; do { /* No maptrack pages allocated for this VCPU yet? */ head = read_atomic(&v->maptrack_head); if ( unlikely(head == MAPTRACK_TAIL) ) return -1; /* * Always keep one entry in the free list to make it easier to
+ show +
16
17
18
19
20
21
22
23
24
25
* add free entries to the tail. */ next = read_atomic(&maptrack_entry(t, head).ref); if ( unlikely(next == MAPTRACK_TAIL) ) return -1; prev_head = head; head = cmpxchg(&v->maptrack_head, prev_head, next); } while ( head != prev_head );

[xen_CVE-2017-14319_1505220313_destroy_grant_pte_mapping.diff] destroy_grant_pte_mapping_OLD.c #1
static int destroy_grant_pte_mapping( - uint64_t addr, unsigned long frame, struct domain *d) + uint64_t addr, unsigned long frame, unsigned int grant_pte_flags, + struct domain *d) { int rc = GNTST_okay; void *va;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12137_after_imd_1502879242_destroy_grant_pte_mapping.c
+ show +
1
2
3
4
5
static int destroy_grant_pte_mapping( uint64_t addr, unsigned long frame, struct domain *d) { int rc = GNTST_okay; void *va;
+ show +
6
7
8
9
10
11
12
13
14
15
unsigned long gmfn, mfn; struct page_info *page; l1_pgentry_t ol1e; /* * addr comes from Xen's active_entry tracking so isn't guest controlled, * but it had still better be PTE-aligned. */ if ( !IS_ALIGNED(addr, sizeof(ol1e)) ) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12137_before_1mo_1498478305_destroy_grant_pte_mapping.c
+ show +
1
2
3
4
5
static int destroy_grant_pte_mapping( uint64_t addr, unsigned long frame, struct domain *d) { int rc = GNTST_okay; void *va;
+ show +
6
7
8
9
10
11
12
13
14
15
unsigned long gmfn, mfn; struct page_info *page; l1_pgentry_t ol1e; gmfn = addr >> PAGE_SHIFT; page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC); if ( unlikely(!page) ) { gdprintk(XENLOG_WARNING, "Could not get page for normal update\n");
.\cloneFuncs\totalClone\Type-1\CVE-2017-14319_before_imd_1504525326_destroy_grant_pte_mapping.c
+ show +
1
2
3
4
5
static int destroy_grant_pte_mapping( uint64_t addr, unsigned long frame, struct domain *d) { int rc = GNTST_okay; void *va;
+ show +
6
7
8
9
10
11
12
13
14
15
unsigned long gmfn, mfn; struct page_info *page; l1_pgentry_t ol1e; /* * addr comes from Xen's active_entry tracking so isn't guest controlled, * but it had still better be PTE-aligned. */ if ( !IS_ALIGNED(addr, sizeof(ol1e)) ) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-12137_before_6mo_1486389243_destroy_grant_pte_mapping.c
+ show +
1
2
3
4
5
static int destroy_grant_pte_mapping( uint64_t addr, unsigned long frame, struct domain *d) { int rc = GNTST_okay; void *va;
+ show +
6
7
8
9
10
11
12
13
14
15
unsigned long gmfn, mfn; struct page_info *page; l1_pgentry_t ol1e; gmfn = addr >> PAGE_SHIFT; page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC); if ( unlikely(!page) ) { MEM_LOG("Could not get page for normal update");

[xen_CVE-2017-14319_1505220313_destroy_grant_pte_mapping.diff] destroy_grant_pte_mapping_OLD.c #2
ol1e = *(l1_pgentry_t *)va; - /* Check that the virtual address supplied is actually mapped to frame. */ - if ( unlikely(l1e_get_pfn(ol1e) != frame) ) + /* + * Check that the PTE supplied actually maps frame (with appropriate + * permissions). + */ + if ( unlikely(l1e_get_pfn(ol1e) != frame) || + unlikely((l1e_get_flags(ol1e) ^ grant_pte_flags) & + (_PAGE_PRESENT | _PAGE_RW)) ) { page_unlock(page); - gdprintk(XENLOG_WARNING, - "PTE entry %"PRIpte" for address %"PRIx64" doesn't match frame %lx\n", - l1e_get_intpte(ol1e), addr, frame); + gdprintk(XENLOG_ERR, + "PTE %"PRIpte" at %"PRIx64" doesn't match grant (%"PRIpte")\n", + l1e_get_intpte(ol1e), addr, + l1e_get_intpte(l1e_from_pfn(frame, grant_pte_flags))); rc = GNTST_general_error; goto failed; } + if ( unlikely((l1e_get_flags(ol1e) ^ grant_pte_flags) & + ~(_PAGE_AVAIL | PAGE_CACHE_ATTRS)) ) + gdprintk(XENLOG_WARNING, + "PTE flags %x at %"PRIx64" don't match grant (%x)\n", + l1e_get_flags(ol1e), addr, grant_pte_flags); + /* Delete pagetable entry. */ if ( unlikely(!UPDATE_ENTRY(l1, (l1_pgentry_t *)va, ol1e, l1e_empty(), mfn,
.\cloneFuncs\totalClone\Type-1\CVE-2017-12137_after_imd_1502879242_destroy_grant_pte_mapping.c
36
37
38
39
40
41
42
43
44
45
goto failed; } if ( (page->u.inuse.type_info & PGT_type_mask) != PGT_l1_page_table ) { page_unlock(page); rc = GNTST_general_error; goto failed; }
+ show +
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
ol1e = *(l1_pgentry_t *)va; /* Check that the virtual address supplied is actually mapped to frame. */ if ( unlikely(l1e_get_pfn(ol1e) != frame) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "PTE entry %"PRIpte" for address %"PRIx64" doesn't match frame %lx\n", l1e_get_intpte(ol1e), addr, frame); rc = GNTST_general_error; goto failed; } /* Delete pagetable entry. */ if ( unlikely(!UPDATE_ENTRY(l1, (l1_pgentry_t *)va, ol1e, l1e_empty(), mfn,
+ show +
62
63
64
65
66
67
68
69
70
71
d->vcpu[0] /* Change if we go to per-vcpu shadows. */, 0)) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", va); rc = GNTST_general_error; goto failed; } page_unlock(page);
.\cloneFuncs\totalClone\Type-1\CVE-2017-12137_before_1mo_1498478305_destroy_grant_pte_mapping.c
26
27
28
29
30
31
32
33
34
35
goto failed; } if ( (page->u.inuse.type_info & PGT_type_mask) != PGT_l1_page_table ) { page_unlock(page); rc = GNTST_general_error; goto failed; }
+ show +
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
ol1e = *(l1_pgentry_t *)va; /* Check that the virtual address supplied is actually mapped to frame. */ if ( unlikely(l1e_get_pfn(ol1e) != frame) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "PTE entry %"PRIpte" for address %"PRIx64" doesn't match frame %lx\n", l1e_get_intpte(ol1e), addr, frame); rc = GNTST_general_error; goto failed; } /* Delete pagetable entry. */ if ( unlikely(!UPDATE_ENTRY(l1, (l1_pgentry_t *)va, ol1e, l1e_empty(), mfn,
+ show +
52
53
54
55
56
57
58
59
60
61
d->vcpu[0] /* Change if we go to per-vcpu shadows. */, 0)) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", va); rc = GNTST_general_error; goto failed; } page_unlock(page);
.\cloneFuncs\totalClone\Type-1\CVE-2017-14319_before_imd_1504525326_destroy_grant_pte_mapping.c
36
37
38
39
40
41
42
43
44
45
goto failed; } if ( (page->u.inuse.type_info & PGT_type_mask) != PGT_l1_page_table ) { page_unlock(page); rc = GNTST_general_error; goto failed; }
+ show +
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
ol1e = *(l1_pgentry_t *)va; /* Check that the virtual address supplied is actually mapped to frame. */ if ( unlikely(l1e_get_pfn(ol1e) != frame) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "PTE entry %"PRIpte" for address %"PRIx64" doesn't match frame %lx\n", l1e_get_intpte(ol1e), addr, frame); rc = GNTST_general_error; goto failed; } /* Delete pagetable entry. */ if ( unlikely(!UPDATE_ENTRY(l1, (l1_pgentry_t *)va, ol1e, l1e_empty(), mfn,
+ show +
62
63
64
65
66
67
68
69
70
71
d->vcpu[0] /* Change if we go to per-vcpu shadows. */, 0)) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", va); rc = GNTST_general_error; goto failed; } page_unlock(page);

[xen_CVE-2017-14319_1505220313_destroy_grant_pte_mapping.diff] destroy_grant_pte_mapping_OLD.c #3
0)) ) { page_unlock(page); - gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", va); + gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %"PRIx64"\n", + addr); rc = GNTST_general_error; goto failed; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-12137_after_imd_1502879242_destroy_grant_pte_mapping.c
53
54
55
56
57
58
59
60
61
62
"PTE entry %"PRIpte" for address %"PRIx64" doesn't match frame %lx\n", l1e_get_intpte(ol1e), addr, frame); rc = GNTST_general_error; goto failed; } /* Delete pagetable entry. */ if ( unlikely(!UPDATE_ENTRY(l1, (l1_pgentry_t *)va, ol1e, l1e_empty(), mfn, d->vcpu[0] /* Change if we go to per-vcpu shadows. */,
+ show +
63
64
65
66
67
68
69
0)) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", va); rc = GNTST_general_error; goto failed; }
+ show +
70
71
72
73
74
75
76
77
page_unlock(page); failed: unmap_domain_page(va); put_page(page); return rc; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-12137_before_1mo_1498478305_destroy_grant_pte_mapping.c
43
44
45
46
47
48
49
50
51
52
"PTE entry %"PRIpte" for address %"PRIx64" doesn't match frame %lx\n", l1e_get_intpte(ol1e), addr, frame); rc = GNTST_general_error; goto failed; } /* Delete pagetable entry. */ if ( unlikely(!UPDATE_ENTRY(l1, (l1_pgentry_t *)va, ol1e, l1e_empty(), mfn, d->vcpu[0] /* Change if we go to per-vcpu shadows. */,
+ show +
53
54
55
56
57
58
59
0)) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", va); rc = GNTST_general_error; goto failed; }
+ show +
60
61
62
63
64
65
66
67
page_unlock(page); failed: unmap_domain_page(va); put_page(page); return rc; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-14319_before_imd_1504525326_destroy_grant_pte_mapping.c
53
54
55
56
57
58
59
60
61
62
"PTE entry %"PRIpte" for address %"PRIx64" doesn't match frame %lx\n", l1e_get_intpte(ol1e), addr, frame); rc = GNTST_general_error; goto failed; } /* Delete pagetable entry. */ if ( unlikely(!UPDATE_ENTRY(l1, (l1_pgentry_t *)va, ol1e, l1e_empty(), mfn, d->vcpu[0] /* Change if we go to per-vcpu shadows. */,
+ show +
63
64
65
66
67
68
69
0)) ) { page_unlock(page); gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", va); rc = GNTST_general_error; goto failed; }
+ show +
70
71
72
73
74
75
76
77
page_unlock(page); failed: unmap_domain_page(va); put_page(page); return rc; }

[xen_CVE-2017-12137_1502802405_create_grant_pte_mapping.diff] create_grant_pte_mapping_OLD.c #1
l1_pgentry_t ol1e; struct domain *d = v->domain; + if ( !IS_ALIGNED(pte_addr, sizeof(nl1e)) ) + return GNTST_general_error; + adjust_guest_l1e(nl1e, d); gmfn = pte_addr >> PAGE_SHIFT;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12137_before_1mo_1498478305_create_grant_pte_mapping.c
1
2
3
4
5
6
7
static int create_grant_pte_mapping( uint64_t pte_addr, l1_pgentry_t nl1e, struct vcpu *v) { int rc = GNTST_okay; void *va; unsigned long gmfn, mfn; struct page_info *page;
+ show +
8
9
10
11
12
13
l1_pgentry_t ol1e; struct domain *d = v->domain; adjust_guest_l1e(nl1e, d); gmfn = pte_addr >> PAGE_SHIFT;
+ show +
14
15
16
17
18
19
20
21
22
23
page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC); if ( unlikely(!page) ) { gdprintk(XENLOG_WARNING, "Could not get page for normal update\n"); return GNTST_general_error; } mfn = page_to_mfn(page); va = map_domain_page(_mfn(mfn));
.\cloneFuncs\totalClone\Type-3\CVE-2017-12137_before_6mo_1486389243_create_grant_pte_mapping.c
1
2
3
4
5
6
7
static int create_grant_pte_mapping( uint64_t pte_addr, l1_pgentry_t nl1e, struct vcpu *v) { int rc = GNTST_okay; void *va; unsigned long gmfn, mfn; struct page_info *page;
+ show +
8
9
10
11
12
13
l1_pgentry_t ol1e; struct domain *d = v->domain; adjust_guest_l1e(nl1e, d); gmfn = pte_addr >> PAGE_SHIFT;
+ show +
14
15
16
17
18
19
20
21
22
23
page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC); if ( unlikely(!page) ) { MEM_LOG("Could not get page for normal update"); return GNTST_general_error; } mfn = page_to_mfn(page); va = map_domain_page(_mfn(mfn));

[xen_CVE-2017-12137_1502802405_destroy_grant_pte_mapping.diff] destroy_grant_pte_mapping_OLD.c #1
struct page_info *page; l1_pgentry_t ol1e; + /* + * addr comes from Xen's active_entry tracking so isn't guest controlled, + * but it had still better be PTE-aligned. + */ + if ( !IS_ALIGNED(addr, sizeof(ol1e)) ) + { + ASSERT_UNREACHABLE(); + return GNTST_general_error; + } + gmfn = addr >> PAGE_SHIFT; page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC);
.\cloneFuncs\totalClone\Type-1\CVE-2017-12137_before_1mo_1498478305_destroy_grant_pte_mapping.c
1
2
3
4
5
6
static int destroy_grant_pte_mapping( uint64_t addr, unsigned long frame, struct domain *d) { int rc = GNTST_okay; void *va; unsigned long gmfn, mfn;
+ show +
7
8
9
10
11
struct page_info *page; l1_pgentry_t ol1e; gmfn = addr >> PAGE_SHIFT; page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC);
+ show +
12
13
14
15
16
17
18
19
20
21
if ( unlikely(!page) ) { gdprintk(XENLOG_WARNING, "Could not get page for normal update\n"); return GNTST_general_error; } mfn = page_to_mfn(page); va = map_domain_page(_mfn(mfn)); va = (void *)((unsigned long)va + ((unsigned long)addr & ~PAGE_MASK));
.\cloneFuncs\totalClone\Type-2\CVE-2017-12137_before_6mo_1486389243_destroy_grant_pte_mapping.c
1
2
3
4
5
6
static int destroy_grant_pte_mapping( uint64_t addr, unsigned long frame, struct domain *d) { int rc = GNTST_okay; void *va; unsigned long gmfn, mfn;
+ show +
7
8
9
10
11
struct page_info *page; l1_pgentry_t ol1e; gmfn = addr >> PAGE_SHIFT; page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC);
+ show +
12
13
14
15
16
17
18
19
20
21
if ( unlikely(!page) ) { MEM_LOG("Could not get page for normal update"); return GNTST_general_error; } mfn = page_to_mfn(page); va = map_domain_page(_mfn(mfn)); va = (void *)((unsigned long)va + ((unsigned long)addr & ~PAGE_MASK));

[linux_CVE-2017-12153_1505254881_nl80211_set_rekey_data.diff] nl80211_set_rekey_data_OLD.c #1
if (err) return err; + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || + !tb[NL80211_REKEY_DATA_KCK]) + return -EINVAL; if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
.\cloneFuncs\totalClone\Type-1\CVE-2017-12153_before_1mo_1499423755_nl80211_set_rekey_data.c
6
7
8
9
10
11
12
13
14
15
struct nlattr *tb[NUM_NL80211_REKEY_DATA]; struct cfg80211_gtk_rekey_data rekey_data; int err; if (!info->attrs[NL80211_ATTR_REKEY_DATA]) return -EINVAL; err = nla_parse_nested(tb, MAX_NL80211_REKEY_DATA, info->attrs[NL80211_ATTR_REKEY_DATA], nl80211_rekey_policy, info->extack);
+ show +
16
17
18
19
20
21
if (err) return err; if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
+ show +
22
23
24
25
26
27
28
29
30
31
return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN) return -ERANGE; rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]); rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]); rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]); wdev_lock(wdev); if (!wdev->current_bss) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-12153_before_6mo_1489629437_nl80211_set_rekey_data.c
6
7
8
9
10
11
12
13
14
15
struct nlattr *tb[NUM_NL80211_REKEY_DATA]; struct cfg80211_gtk_rekey_data rekey_data; int err; if (!info->attrs[NL80211_ATTR_REKEY_DATA]) return -EINVAL; err = nla_parse_nested(tb, MAX_NL80211_REKEY_DATA, info->attrs[NL80211_ATTR_REKEY_DATA], nl80211_rekey_policy);
+ show +
16
17
18
19
20
21
if (err) return err; if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
+ show +
22
23
24
25
26
27
28
29
30
31
return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN) return -ERANGE; rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]); rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]); rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]); wdev_lock(wdev); if (!wdev->current_bss) {

[linux_CVE-2017-12154_1505246574_prepare_vmcs02.diff] prepare_vmcs02_OLD.c #1
if (exec_control & CPU_BASED_TPR_SHADOW) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull); vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); + } else { +#ifdef CONFIG_X86_64 + exec_control |= CPU_BASED_CR8_LOAD_EXITING | + CPU_BASED_CR8_STORE_EXITING; +#endif } /*
.\cloneFuncs\totalClone\Type-1\CVE-2017-12154_before_imd_1505230961_prepare_vmcs02.c
193
194
195
196
197
198
199
200
201
202
exec_control &= ~CPU_BASED_VIRTUAL_INTR_PENDING; exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING; exec_control &= ~CPU_BASED_TPR_SHADOW; exec_control |= vmcs12->cpu_based_vm_exec_control; /* * Write an illegal value to VIRTUAL_APIC_PAGE_ADDR. Later, if * nested_get_vmcs12_pages can't fix it up, the illegal value * will result in a VM entry failure. */
+ show +
203
204
205
206
207
208
if (exec_control & CPU_BASED_TPR_SHADOW) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull); vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); } /*
+ show +
209
210
211
212
213
214
215
216
217
218
* Merging of IO bitmap not currently supported. * Rather, exit every time. */ exec_control &= ~CPU_BASED_USE_IO_BITMAPS; exec_control |= CPU_BASED_UNCOND_IO_EXITING; vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, exec_control); /* EXCEPTION_BITMAP and CR0_GUEST_HOST_MASK should basically be the * bitwise-or of what L1 wants to trap for L2, and what we want to
.\cloneFuncs\totalClone\Type-3\CVE-2017-12154_before_1mo_1502401014_prepare_vmcs02.c
192
193
194
195
196
197
198
199
200
201
exec_control &= ~CPU_BASED_VIRTUAL_INTR_PENDING; exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING; exec_control &= ~CPU_BASED_TPR_SHADOW; exec_control |= vmcs12->cpu_based_vm_exec_control; /* * Write an illegal value to VIRTUAL_APIC_PAGE_ADDR. Later, if * nested_get_vmcs12_pages can't fix it up, the illegal value * will result in a VM entry failure. */
+ show +
202
203
204
205
206
207
if (exec_control & CPU_BASED_TPR_SHADOW) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull); vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); } /*
+ show +
208
209
210
211
212
213
214
215
216
217
* Merging of IO bitmap not currently supported. * Rather, exit every time. */ exec_control &= ~CPU_BASED_USE_IO_BITMAPS; exec_control |= CPU_BASED_UNCOND_IO_EXITING; vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, exec_control); /* EXCEPTION_BITMAP and CR0_GUEST_HOST_MASK should basically be the * bitwise-or of what L1 wants to trap for L2, and what we want to
.\cloneFuncs\totalClone\Type-3\CVE-2017-12154_before_6mo_1489511108_prepare_vmcs02.c
194
195
196
197
198
199
200
201
202
203
exec_control &= ~CPU_BASED_VIRTUAL_INTR_PENDING; exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING; exec_control &= ~CPU_BASED_TPR_SHADOW; exec_control |= vmcs12->cpu_based_vm_exec_control; /* * Write an illegal value to VIRTUAL_APIC_PAGE_ADDR. Later, if * nested_get_vmcs12_pages can't fix it up, the illegal value * will result in a VM entry failure. */
+ show +
204
205
206
207
208
209
if (exec_control & CPU_BASED_TPR_SHADOW) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull); vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); } /*
+ show +
210
211
212
213
214
215
216
217
218
219
* Merging of IO bitmap not currently supported. * Rather, exit every time. */ exec_control &= ~CPU_BASED_USE_IO_BITMAPS; exec_control |= CPU_BASED_UNCOND_IO_EXITING; vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, exec_control); /* EXCEPTION_BITMAP and CR0_GUEST_HOST_MASK should basically be the * bitwise-or of what L1 wants to trap for L2, and what we want to

[linux_CVE-2017-12193_1507761147_assoc_array_insert_into_terminal_node.diff] assoc_array_insert_into_terminal_node_OLD.c #1
if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0) goto all_leaves_cluster_together; - /* Otherwise we can just insert a new node ahead of the old - * one. + /* Otherwise all the old leaves cluster in the same slot, but + * the new leaf wants to go into a different slot - so we + * create a new node (n0) to hold the new leaf and a pointer to + * a new node (n1) holding all the old leaves. + * + * This can be done by falling through to the node splitting + * path. */ - goto present_leaves_cluster_but_not_new_leaf; + pr_devel("present leaves cluster but not new leaf\n"); } split_node: pr_devel("split node\n"); - /* We need to split the current node; we know that the node doesn't - * simply contain a full set of leaves that cluster together (it - * contains meta pointers and/or non-clustering leaves). + /* We need to split the current node. The node must contain anything + * from a single leaf (in the one leaf case, this leaf will cluster + * with the new leaf) and the rest meta-pointers, to all leaves, some + * of which may cluster. + * + * It won't contain the case in which all the current leaves plus the + * new leaves want to cluster in the same slot. * * We need to expel at least two leaves out of a set consisting of the - * leaves in the node and the new leaf. + * leaves in the node and the new leaf. The current meta pointers can + * just be copied as they shouldn't cluster with any of the leaves. * * We need a new node (n0) to replace the current one and a new node to * take the expelled nodes (n1).
.\cloneFuncs\totalClone\Type-1\CVE-2017-12193_before_1mo_1459948008_assoc_array_insert_into_terminal_node.c
98
99
100
101
102
103
104
105
106
107
base_seg = edit->segment_cache[0]; for (i = 1; i < ASSOC_ARRAY_FAN_OUT; i++) dissimilarity |= edit->segment_cache[i] ^ base_seg; pr_devel("only leaves; dissimilarity=%lx\n", dissimilarity); if ((dissimilarity & ASSOC_ARRAY_FAN_MASK) == 0) { /* The old leaves all cluster in the same slot. We will need * to insert a shortcut if the new node wants to cluster with them. */
+ show +
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0) goto all_leaves_cluster_together; /* Otherwise we can just insert a new node ahead of the old * one. */ goto present_leaves_cluster_but_not_new_leaf; } split_node: pr_devel("split node\n"); /* We need to split the current node; we know that the node doesn't * simply contain a full set of leaves that cluster together (it * contains meta pointers and/or non-clustering leaves). * * We need to expel at least two leaves out of a set consisting of the * leaves in the node and the new leaf. * * We need a new node (n0) to replace the current one and a new node to * take the expelled nodes (n1).
+ show +
129
130
131
132
133
134
135
136
137
138
*/ edit->set[0].to = assoc_array_node_to_ptr(new_n0); new_n0->back_pointer = node->back_pointer; new_n0->parent_slot = node->parent_slot; new_n1->back_pointer = assoc_array_node_to_ptr(new_n0); new_n1->parent_slot = -1; /* Need to calculate this */ do_split_node: pr_devel("do_split_node\n");
.\cloneFuncs\totalClone\Type-3\CVE-2017-12193_before_6mo_1419918381_assoc_array_insert_into_terminal_node.c
96
97
98
99
100
101
102
103
104
105
base_seg = edit->segment_cache[0]; for (i = 1; i < ASSOC_ARRAY_FAN_OUT; i++) dissimilarity |= edit->segment_cache[i] ^ base_seg; pr_devel("only leaves; dissimilarity=%lx\n", dissimilarity); if ((dissimilarity & ASSOC_ARRAY_FAN_MASK) == 0) { /* The old leaves all cluster in the same slot. We will need * to insert a shortcut if the new node wants to cluster with them. */
+ show +
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0) goto all_leaves_cluster_together; /* Otherwise we can just insert a new node ahead of the old * one. */ goto present_leaves_cluster_but_not_new_leaf; } split_node: pr_devel("split node\n"); /* We need to split the current node; we know that the node doesn't * simply contain a full set of leaves that cluster together (it * contains meta pointers and/or non-clustering leaves). * * We need to expel at least two leaves out of a set consisting of the * leaves in the node and the new leaf. * * We need a new node (n0) to replace the current one and a new node to * take the expelled nodes (n1).
+ show +
127
128
129
130
131
132
133
134
135
136
*/ edit->set[0].to = assoc_array_node_to_ptr(new_n0); new_n0->back_pointer = node->back_pointer; new_n0->parent_slot = node->parent_slot; new_n1->back_pointer = assoc_array_node_to_ptr(new_n0); new_n1->parent_slot = -1; /* Need to calculate this */ do_split_node: pr_devel("do_split_node\n");

[linux_CVE-2017-12193_1507761147_assoc_array_insert_into_terminal_node.diff] assoc_array_insert_into_terminal_node_OLD.c #2
pr_devel("<--%s() = ok [split node]\n", __func__); return true; -present_leaves_cluster_but_not_new_leaf: - /* All the old leaves cluster in the same slot, but the new leaf wants - * to go into a different slot, so we create a new node to hold the new - * leaf and a pointer to a new node holding all the old leaves. - */ - pr_devel("present leaves cluster but not new leaf\n"); - - new_n0->back_pointer = node->back_pointer; - new_n0->parent_slot = node->parent_slot; - new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch; - new_n1->back_pointer = assoc_array_node_to_ptr(new_n0); - new_n1->parent_slot = edit->segment_cache[0]; - new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch; - edit->adjust_count_on = new_n0; - - for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++) - new_n1->slots[i] = node->slots[i]; - - new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0); - edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]]; - - edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot]; - edit->set[0].to = assoc_array_node_to_ptr(new_n0); - edit->excised_meta[0] = assoc_array_node_to_ptr(node); - pr_devel("<--%s() = ok [insert node before]\n", __func__); - return true; - all_leaves_cluster_together: /* All the leaves, new and old, want to cluster together in this node * in the same slot, so we have to replace this node with a shortcut to
.\cloneFuncs\totalClone\Type-1\CVE-2017-12193_before_1mo_1459948008_assoc_array_insert_into_terminal_node.c
217
218
219
220
221
222
223
224
225
226
} ptr = node->back_pointer; if (!ptr) edit->set[0].ptr = &edit->array->root; else if (assoc_array_ptr_is_node(ptr)) edit->set[0].ptr = &assoc_array_ptr_to_node(ptr)->slots[node->parent_slot]; else edit->set[0].ptr = &assoc_array_ptr_to_shortcut(ptr)->next_node; edit->excised_meta[0] = assoc_array_node_to_ptr(node);
+ show +
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
pr_devel("<--%s() = ok [split node]\n", __func__); return true; present_leaves_cluster_but_not_new_leaf: /* All the old leaves cluster in the same slot, but the new leaf wants * to go into a different slot, so we create a new node to hold the new * leaf and a pointer to a new node holding all the old leaves. */ pr_devel("present leaves cluster but not new leaf\n"); new_n0->back_pointer = node->back_pointer; new_n0->parent_slot = node->parent_slot; new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch; new_n1->back_pointer = assoc_array_node_to_ptr(new_n0); new_n1->parent_slot = edit->segment_cache[0]; new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch; edit->adjust_count_on = new_n0; for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++) new_n1->slots[i] = node->slots[i]; new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0); edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]]; edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot]; edit->set[0].to = assoc_array_node_to_ptr(new_n0); edit->excised_meta[0] = assoc_array_node_to_ptr(node); pr_devel("<--%s() = ok [insert node before]\n", __func__); return true; all_leaves_cluster_together: /* All the leaves, new and old, want to cluster together in this node * in the same slot, so we have to replace this node with a shortcut to
+ show +
260
261
262
263
264
265
266
267
268
269
* skip over the identical parts of the key and then place a pair of * nodes, one inside the other, at the end of the shortcut and * distribute the keys between them. * * Firstly we need to work out where the leaves start diverging as a * bit position into their keys so that we know how big the shortcut * needs to be. * * We only need to make a single pass of N of the N+1 leaves because if * any keys differ between themselves at bit X then at least one of
.\cloneFuncs\totalClone\Type-3\CVE-2017-12193_before_6mo_1419918381_assoc_array_insert_into_terminal_node.c
215
216
217
218
219
220
221
222
223
224
} ptr = node->back_pointer; if (!ptr) edit->set[0].ptr = &edit->array->root; else if (assoc_array_ptr_is_node(ptr)) edit->set[0].ptr = &assoc_array_ptr_to_node(ptr)->slots[node->parent_slot]; else edit->set[0].ptr = &assoc_array_ptr_to_shortcut(ptr)->next_node; edit->excised_meta[0] = assoc_array_node_to_ptr(node);
+ show +
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
pr_devel("<--%s() = ok [split node]\n", __func__); return true; present_leaves_cluster_but_not_new_leaf: /* All the old leaves cluster in the same slot, but the new leaf wants * to go into a different slot, so we create a new node to hold the new * leaf and a pointer to a new node holding all the old leaves. */ pr_devel("present leaves cluster but not new leaf\n"); new_n0->back_pointer = node->back_pointer; new_n0->parent_slot = node->parent_slot; new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch; new_n1->back_pointer = assoc_array_node_to_ptr(new_n0); new_n1->parent_slot = edit->segment_cache[0]; new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch; edit->adjust_count_on = new_n0; for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++) new_n1->slots[i] = node->slots[i]; new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0); edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]]; edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot]; edit->set[0].to = assoc_array_node_to_ptr(new_n0); edit->excised_meta[0] = assoc_array_node_to_ptr(node); pr_devel("<--%s() = ok [insert node before]\n", __func__); return true; all_leaves_cluster_together: /* All the leaves, new and old, want to cluster together in this node * in the same slot, so we have to replace this node with a shortcut to
+ show +
258
259
260
261
262
263
264
265
266
267
* skip over the identical parts of the key and then place a pair of * nodes, one inside the other, at the end of the shortcut and * distribute the keys between them. * * Firstly we need to work out where the leaves start diverging as a * bit position into their keys so that we know how big the shortcut * needs to be. * * We only need to make a single pass of N of the N+1 leaves because if * any keys differ between themselves at bit X then at least one of

[tcpdump_CVE-2017-12893_1486169817_name_len.diff] name_len_OLD.c #1
return(-1); /* name goes past the end of the buffer */ ND_TCHECK2(*s, 1); s += (*s) + 1; + ND_TCHECK2(*s, 1); } return(PTR_DIFF(s, s0) + 1);
.\cloneFuncs\totalClone\Type-1\CVE-2017-12893_before_1mo_1441970576_name_len.c
6
7
8
9
10
11
12
13
14
15
unsigned char c; if (s >= maxbuf) return(-1); /* name goes past the end of the buffer */ ND_TCHECK2(*s, 1); c = *s; if ((c & 0xC0) == 0xC0) return(2); while (*s) { if (s >= maxbuf)
+ show +
16
17
18
19
20
return(-1); /* name goes past the end of the buffer */ ND_TCHECK2(*s, 1); s += (*s) + 1; } return(PTR_DIFF(s, s0) + 1);
+ show +
21
22
23
24
trunc: return(-1); /* name goes past the end of the buffer */ }

[tcpdump_CVE-2017-12894_1486176840_le64addr_string.diff] le64addr_string_OLD.c #1
const unsigned int len = 8; register u_int i; register char *cp; - register struct enamemem *tp; + register struct bsnamemem *tp; char buf[BUFSIZE]; tp = lookup_bytestring(ndo, ep, len); - if (tp->e_name) - return (tp->e_name); + if (tp->bs_name) + return (tp->bs_name); cp = buf; for (i = len; i > 0 ; --i) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12894_before_1mo_1472059856_le64addr_string.c
1
2
3
const char * le64addr_string(netdissect_options *ndo, const u_char *ep) {
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
const unsigned int len = 8; register u_int i; register char *cp; register struct enamemem *tp; char buf[BUFSIZE]; tp = lookup_bytestring(ndo, ep, len); if (tp->e_name) return (tp->e_name); cp = buf; for (i = len; i > 0 ; --i) {
+ show +
16
17
18
19
20
21
22
23
24
25
*cp++ = hex[*(ep + i - 1) >> 4]; *cp++ = hex[*(ep + i - 1) & 0xf]; *cp++ = ':'; } cp --; *cp = '\0'; tp->e_name = strdup(buf); if (tp->e_name == NULL)

[tcpdump_CVE-2017-12894_1486176840_linkaddr_string.diff] linkaddr_string_OLD.c #1
{ register u_int i; register char *cp; - register struct enamemem *tp; + register struct bsnamemem *tp; if (len == 0) return ("<empty>");
.\cloneFuncs\totalClone\Type-1\CVE-2017-12894_before_1mo_1472059856_linkaddr_string.c
1
2
3
const char * linkaddr_string(netdissect_options *ndo, const u_char *ep, const unsigned int type, const unsigned int len)
+ show +
4
5
6
7
8
9
10
{ register u_int i; register char *cp; register struct enamemem *tp; if (len == 0) return ("<empty>");
+ show +
11
12
13
14
15
16
17
18
19
20
if (type == LINKADDR_ETHER && len == ETHER_ADDR_LEN) return (etheraddr_string(ndo, ep)); if (type == LINKADDR_FRELAY) return (q922_string(ndo, ep, len)); tp = lookup_bytestring(ndo, ep, len); if (tp->e_name) return (tp->e_name);

[tcpdump_CVE-2017-12894_1486176840_linkaddr_string.diff] linkaddr_string_OLD.c #2
return (q922_string(ndo, ep, len)); tp = lookup_bytestring(ndo, ep, len); - if (tp->e_name) - return (tp->e_name); + if (tp->bs_name) + return (tp->bs_name); - tp->e_name = cp = (char *)malloc(len*3); - if (tp->e_name == NULL) + tp->bs_name = cp = (char *)malloc(len*3); + if (tp->bs_name == NULL) (*ndo->ndo_error)(ndo, "linkaddr_string: malloc"); *cp++ = hex[*ep >> 4]; *cp++ = hex[*ep++ & 0xf];
.\cloneFuncs\totalClone\Type-1\CVE-2017-12894_before_1mo_1472059856_linkaddr_string.c
6
7
8
9
10
11
12
13
14
15
register char *cp; register struct enamemem *tp; if (len == 0) return ("<empty>"); if (type == LINKADDR_ETHER && len == ETHER_ADDR_LEN) return (etheraddr_string(ndo, ep)); if (type == LINKADDR_FRELAY)
+ show +
16
17
18
19
20
21
22
23
24
25
26
return (q922_string(ndo, ep, len)); tp = lookup_bytestring(ndo, ep, len); if (tp->e_name) return (tp->e_name); tp->e_name = cp = (char *)malloc(len*3); if (tp->e_name == NULL) (*ndo->ndo_error)(ndo, "linkaddr_string: malloc"); *cp++ = hex[*ep >> 4]; *cp++ = hex[*ep++ & 0xf];
+ show +
27
28
29
30
31
32
33
34
for (i = len-1; i > 0 ; --i) { *cp++ = ':'; *cp++ = hex[*ep >> 4]; *cp++ = hex[*ep++ & 0xf]; } *cp = '\0'; return (tp->e_name); }

[tcpdump_CVE-2017-12894_1486176840_lookup_bytestring.diff] lookup_bytestring_OLD.c #1
-static inline struct enamemem * +static inline struct bsnamemem * lookup_bytestring(netdissect_options *ndo, register const u_char *bs, const unsigned int nlen) { - struct enamemem *tp; + struct bsnamemem *tp; register u_int i, j, k; if (nlen >= 6) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12894_before_1mo_1472059856_lookup_bytestring.c
+ show +
1
2
3
4
5
6
7
8
static inline struct enamemem * lookup_bytestring(netdissect_options *ndo, register const u_char *bs, const unsigned int nlen) { struct enamemem *tp; register u_int i, j, k; if (nlen >= 6) {
+ show +
9
10
11
12
13
14
15
16
17
18
k = (bs[0] << 8) | bs[1]; j = (bs[2] << 8) | bs[3]; i = (bs[4] << 8) | bs[5]; } else if (nlen >= 4) { k = (bs[0] << 8) | bs[1]; j = (bs[2] << 8) | bs[3]; i = 0; } else i = j = k = 0;

[tcpdump_CVE-2017-12896_1486149334_isakmp_rfc3948_print.diff] isakmp_rfc3948_print_OLD.c #1
const u_char *bp, u_int length, const u_char *bp2) { - + ND_TCHECK(bp[0]); if(length == 1 && bp[0]==0xff) { ND_PRINT((ndo, "isakmp-nat-keep-alive")); return;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12896_before_1mo_1473623126_isakmp_rfc3948_print.c
1
2
void isakmp_rfc3948_print(netdissect_options *ndo,
+ show +
3
4
5
6
7
8
9
const u_char *bp, u_int length, const u_char *bp2) { if(length == 1 && bp[0]==0xff) { ND_PRINT((ndo, "isakmp-nat-keep-alive")); return;
+ show +
10
11
12
13
14
15
16
17
18
19
} if(length < 4) { goto trunc; } /* * see if this is an IKE packet */ if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {

[tcpdump_CVE-2017-12896_1486149334_isakmp_rfc3948_print.diff] isakmp_rfc3948_print_OLD.c #2
if(length < 4) { goto trunc; } + ND_TCHECK(bp[3]); /* * see if this is an IKE packet
.\cloneFuncs\totalClone\Type-1\CVE-2017-12896_before_1mo_1473623126_isakmp_rfc3948_print.c
2
3
4
5
6
7
8
9
10
11
isakmp_rfc3948_print(netdissect_options *ndo, const u_char *bp, u_int length, const u_char *bp2) { if(length == 1 && bp[0]==0xff) { ND_PRINT((ndo, "isakmp-nat-keep-alive")); return; }
+ show +
12
13
14
15
16
17
if(length < 4) { goto trunc; } /* * see if this is an IKE packet
+ show +
18
19
20
21
22
23
24
25
26
27
*/ if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) { ND_PRINT((ndo, "NONESP-encap: ")); isakmp_print(ndo, bp+4, length-4, bp2); return; } /* must be an ESP packet */ { int nh, enh, padlen;

[tcpdump_CVE-2017-12898_1486163691_interp_reply.diff] interp_reply_OLD.c #1
ND_PRINT((ndo, " attr:")); if (!(dp = parse_post_op_attr(ndo, dp, ndo->ndo_vflag))) break; - if (!er) + if (!er) { + ND_TCHECK(dp[0]); ND_PRINT((ndo, " c %04x", EXTRACT_32BITS(&dp[0]))); + } return; case NFSPROC_READLINK:
.\cloneFuncs\totalClone\Type-1\CVE-2017-12898_before_1mo_1472059856_interp_reply.c
59
60
61
62
63
64
65
66
67
68
return; } break; case NFSPROC_ACCESS: if (!(dp = parserep(ndo, rp, length))) break; if (!(dp = parsestatus(ndo, dp, &er))) break; if (ndo->ndo_vflag)
+ show +
69
70
71
72
73
74
75
76
ND_PRINT((ndo, " attr:")); if (!(dp = parse_post_op_attr(ndo, dp, ndo->ndo_vflag))) break; if (!er) ND_PRINT((ndo, " c %04x", EXTRACT_32BITS(&dp[0]))); return; case NFSPROC_READLINK:
+ show +
77
78
79
80
81
82
83
84
85
86
dp = parserep(ndo, rp, length); if (dp != NULL && parselinkres(ndo, dp, v3) != 0) return; break; case NFSPROC_READ: if (!(dp = parserep(ndo, rp, length))) break; if (v3) { if (!(dp = parsestatus(ndo, dp, &er)))
.\cloneFuncs\totalClone\Type-2\CVE-2017-12898_before_6mo_1442527004_interp_reply.c
59
60
61
62
63
64
65
66
67
68
return; } break; case NFSPROC_ACCESS: if (!(dp = parserep(ndo, rp, length))) break; if (!(dp = parsestatus(ndo, dp, &er))) break; if (ndo->ndo_vflag)
+ show +
69
70
71
72
73
74
75
76
ND_PRINT((ndo, " attr:")); if (!(dp = parse_post_op_attr(ndo, dp, ndo->ndo_vflag))) break; if (!er) ND_PRINT((ndo, " c %04x", EXTRACT_32BITS(&dp[0]))); return; case NFSPROC_READLINK:
+ show +
77
78
79
80
81
82
83
84
85
86
dp = parserep(ndo, rp, length); if (dp != NULL && parselinkres(ndo, dp, v3) != 0) return; break; case NFSPROC_READ: if (!(dp = parserep(ndo, rp, length))) break; if (v3) { if (!(dp = parsestatus(ndo, dp, &er)))

[tcpdump_CVE-2017-12898_1486163691_nfsreq_print_noaddr.diff] nfsreq_print_noaddr_OLD.c #1
if ((dp = parsereq(ndo, rp, length)) != NULL && (dp = parsefh(ndo, dp, v3)) != NULL) { if (v3) { - ND_TCHECK(dp[2]); + ND_TCHECK(dp[4]); ND_PRINT((ndo, " %u (%u) bytes @ %" PRIu64, EXTRACT_32BITS(&dp[4]), EXTRACT_32BITS(&dp[2]), EXTRACT_64BITS(&dp[0]))); if (ndo->ndo_vflag) { - dp += 3; - ND_TCHECK(dp[0]); ND_PRINT((ndo, " <%s>", tok2str(nfsv3_writemodes, - NULL, EXTRACT_32BITS(dp)))); + NULL, EXTRACT_32BITS(&dp[3])))); } } else { ND_TCHECK(dp[3]);
.\cloneFuncs\totalClone\Type-1\CVE-2017-12898_before_1mo_1472059856_nfsreq_print_noaddr.c
99
100
101
102
103
104
105
106
107
108
ND_TCHECK(dp[1]); ND_PRINT((ndo, " %u bytes @ %u", EXTRACT_32BITS(&dp[1]), EXTRACT_32BITS(&dp[0]))); } return; } break; case NFSPROC_WRITE:
+ show +
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
if ((dp = parsereq(ndo, rp, length)) != NULL && (dp = parsefh(ndo, dp, v3)) != NULL) { if (v3) { ND_TCHECK(dp[2]); ND_PRINT((ndo, " %u (%u) bytes @ %" PRIu64, EXTRACT_32BITS(&dp[4]), EXTRACT_32BITS(&dp[2]), EXTRACT_64BITS(&dp[0]))); if (ndo->ndo_vflag) { dp += 3; ND_TCHECK(dp[0]); ND_PRINT((ndo, " <%s>", tok2str(nfsv3_writemodes, NULL, EXTRACT_32BITS(dp)))); } } else { ND_TCHECK(dp[3]);
+ show +
126
127
128
129
130
131
132
133
134
135
ND_PRINT((ndo, " %u (%u) bytes @ %u (%u)", EXTRACT_32BITS(&dp[3]), EXTRACT_32BITS(&dp[2]), EXTRACT_32BITS(&dp[1]), EXTRACT_32BITS(&dp[0]))); } return; } break;
.\cloneFuncs\totalClone\Type-2\CVE-2017-12898_before_6mo_1442527004_nfsreq_print_noaddr.c
99
100
101
102
103
104
105
106
107
108
ND_TCHECK(dp[1]); ND_PRINT((ndo, " %u bytes @ %u", EXTRACT_32BITS(&dp[1]), EXTRACT_32BITS(&dp[0]))); } return; } break; case NFSPROC_WRITE:
+ show +
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
if ((dp = parsereq(ndo, rp, length)) != NULL && (dp = parsefh(ndo, dp, v3)) != NULL) { if (v3) { ND_TCHECK(dp[2]); ND_PRINT((ndo, " %u (%u) bytes @ %" PRIu64, EXTRACT_32BITS(&dp[4]), EXTRACT_32BITS(&dp[2]), EXTRACT_64BITS(&dp[0]))); if (ndo->ndo_vflag) { dp += 3; ND_TCHECK(dp[0]); ND_PRINT((ndo, " <%s>", tok2str(nfsv3_writemodes, NULL, EXTRACT_32BITS(dp)))); } } else { ND_TCHECK(dp[3]);
+ show +
126
127
128
129
130
131
132
133
134
135
ND_PRINT((ndo, " %u (%u) bytes @ %u (%u)", EXTRACT_32BITS(&dp[3]), EXTRACT_32BITS(&dp[2]), EXTRACT_32BITS(&dp[1]), EXTRACT_32BITS(&dp[0]))); } return; } break;

[tcpdump_CVE-2017-12898_1486163691_parserep.diff] parserep_OLD.c #1
* skip past the ar_verf credentials. */ dp += (len + (2*sizeof(uint32_t) + 3)) / sizeof(uint32_t); - ND_TCHECK2(dp[0], 0); /* * now we can check the ar_stat field */ + ND_TCHECK(dp[0]); astat = (enum sunrpc_accept_stat) EXTRACT_32BITS(dp); if (astat != SUNRPC_SUCCESS) { ND_PRINT((ndo, " %s", tok2str(sunrpc_str, "ar_stat %d", astat)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-12898_before_1mo_1472059856_parserep.c
20
21
22
23
24
25
26
27
28
29
* the internal representation to parse the on-the-wire * representation. Instead, we skip past the rp_stat field, * which is an "enum" and so occupies one 32-bit word. */ dp = ((const uint32_t *)&rp->rm_reply) + 1; ND_TCHECK(dp[1]); len = EXTRACT_32BITS(&dp[1]); if (len >= length) return (NULL); /*
+ show +
30
31
32
33
34
35
36
37
38
39
40
* skip past the ar_verf credentials. */ dp += (len + (2*sizeof(uint32_t) + 3)) / sizeof(uint32_t); ND_TCHECK2(dp[0], 0); /* * now we can check the ar_stat field */ astat = (enum sunrpc_accept_stat) EXTRACT_32BITS(dp); if (astat != SUNRPC_SUCCESS) { ND_PRINT((ndo, " %s", tok2str(sunrpc_str, "ar_stat %d", astat)));
+ show +
41
42
43
44
45
46
47
48
49
nfserr = 1; /* suppress trunc string */ return (NULL); } /* successful return */ ND_TCHECK2(*dp, sizeof(astat)); return ((const uint32_t *) (sizeof(astat) + ((const char *)dp))); trunc: return (0); }

[tcpdump_CVE-2017-12899_1486165944_decnet_print.diff] decnet_print_OLD.c #1
length -= padlen; caplen -= padlen; rhp = (const union routehdr *)&(ap[sizeof(short)]); + ND_TCHECK(rhp->rh_short.sh_flags); mflags = EXTRACT_LE_8BITS(rhp->rh_short.sh_flags); }
.\cloneFuncs\totalClone\Type-1\CVE-2017-12899_before_1mo_1471182139_decnet_print.c
34
35
36
37
38
39
40
41
42
43
/* pad bytes of some sort in front of message */ u_int padlen = mflags & RMF_PADMASK; if (ndo->ndo_vflag) ND_PRINT((ndo, "[pad:%d] ", padlen)); if (length < padlen + 2) { ND_PRINT((ndo, "%s", tstr)); return; } ND_TCHECK2(ap[sizeof(short)], padlen); ap += padlen;
+ show +
44
45
46
47
48
length -= padlen; caplen -= padlen; rhp = (const union routehdr *)&(ap[sizeof(short)]); mflags = EXTRACT_LE_8BITS(rhp->rh_short.sh_flags); }
+ show +
49
50
51
52
53
54
55
56
57
58
if (mflags & RMF_FVER) { ND_PRINT((ndo, "future-version-decnet")); ND_DEFAULTPRINT(ap, min(length, caplen)); return; } /* is it a control message? */ if (mflags & RMF_CTLMSG) { if (!print_decnet_ctlmsg(ndo, rhp, length, caplen))

[tcpdump_CVE-2017-12901_1486251192_eigrp_print.diff] eigrp_print_OLD.c #2
eigrp_tlv_type, eigrp_tlv_len)); + if (eigrp_tlv_len < sizeof(struct eigrp_tlv_header)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) sizeof(struct eigrp_tlv_header))); + break; + } tlv_tptr=tptr+sizeof(struct eigrp_tlv_header); tlv_tlen=eigrp_tlv_len-sizeof(struct eigrp_tlv_header);
.\cloneFuncs\totalClone\Type-1\CVE-2017-12901_before_1mo_1471267648_eigrp_print.c
69
70
71
72
73
74
75
76
77
78
if (eigrp_tlv_len < sizeof(struct eigrp_tlv_header) || eigrp_tlv_len > tlen) { print_unknown_data(ndo,tptr+sizeof(struct eigrp_tlv_header),"\n\t ",tlen); return; } ND_PRINT((ndo, "\n\t %s TLV (0x%04x), length: %u", tok2str(eigrp_tlv_values, "Unknown", eigrp_tlv_type),
+ show +
79
80
81
82
83
eigrp_tlv_type, eigrp_tlv_len)); tlv_tptr=tptr+sizeof(struct eigrp_tlv_header); tlv_tlen=eigrp_tlv_len-sizeof(struct eigrp_tlv_header);
+ show +
84
85
86
87
88
89
90
91
92
93
/* did we capture enough for fully decoding the object ? */ ND_TCHECK2(*tptr, eigrp_tlv_len); switch(eigrp_tlv_type) { case EIGRP_TLV_GENERAL_PARM: tlv_ptr.eigrp_tlv_general_parm = (const struct eigrp_tlv_general_parm_t *)tlv_tptr; ND_PRINT((ndo, "\n\t holdtime: %us, k1 %u, k2 %u, k3 %u, k4 %u, k5 %u",

[tcpdump_CVE-2017-12901_1486251192_eigrp_print.diff] eigrp_print_OLD.c #3
case EIGRP_TLV_GENERAL_PARM: tlv_ptr.eigrp_tlv_general_parm = (const struct eigrp_tlv_general_parm_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_general_parm)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_general_parm)))); + break; + } ND_PRINT((ndo, "\n\t holdtime: %us, k1 %u, k2 %u, k3 %u, k4 %u, k5 %u", EXTRACT_16BITS(tlv_ptr.eigrp_tlv_general_parm->holdtime),
.\cloneFuncs\totalClone\Type-1\CVE-2017-12901_before_1mo_1471267648_eigrp_print.c
80
81
82
83
84
85
86
87
88
89
eigrp_tlv_len)); tlv_tptr=tptr+sizeof(struct eigrp_tlv_header); tlv_tlen=eigrp_tlv_len-sizeof(struct eigrp_tlv_header); /* did we capture enough for fully decoding the object ? */ ND_TCHECK2(*tptr, eigrp_tlv_len); switch(eigrp_tlv_type) {
+ show +
90
91
92
93
94
case EIGRP_TLV_GENERAL_PARM: tlv_ptr.eigrp_tlv_general_parm = (const struct eigrp_tlv_general_parm_t *)tlv_tptr; ND_PRINT((ndo, "\n\t holdtime: %us, k1 %u, k2 %u, k3 %u, k4 %u, k5 %u", EXTRACT_16BITS(tlv_ptr.eigrp_tlv_general_parm->holdtime),
+ show +
95
96
97
98
99
100
101
102
103
104
tlv_ptr.eigrp_tlv_general_parm->k1, tlv_ptr.eigrp_tlv_general_parm->k2, tlv_ptr.eigrp_tlv_general_parm->k3, tlv_ptr.eigrp_tlv_general_parm->k4, tlv_ptr.eigrp_tlv_general_parm->k5)); break; case EIGRP_TLV_SW_VERSION: tlv_ptr.eigrp_tlv_sw_version = (const struct eigrp_tlv_sw_version_t *)tlv_tptr;

[tcpdump_CVE-2017-12901_1486251192_eigrp_print.diff] eigrp_print_OLD.c #4
case EIGRP_TLV_SW_VERSION: tlv_ptr.eigrp_tlv_sw_version = (const struct eigrp_tlv_sw_version_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_sw_version)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_sw_version)))); + break; + } ND_PRINT((ndo, "\n\t IOS version: %u.%u, EIGRP version %u.%u", tlv_ptr.eigrp_tlv_sw_version->ios_major,
.\cloneFuncs\totalClone\Type-1\CVE-2017-12901_before_1mo_1471267648_eigrp_print.c
92
93
94
95
96
97
98
99
100
101
ND_PRINT((ndo, "\n\t holdtime: %us, k1 %u, k2 %u, k3 %u, k4 %u, k5 %u", EXTRACT_16BITS(tlv_ptr.eigrp_tlv_general_parm->holdtime), tlv_ptr.eigrp_tlv_general_parm->k1, tlv_ptr.eigrp_tlv_general_parm->k2, tlv_ptr.eigrp_tlv_general_parm->k3, tlv_ptr.eigrp_tlv_general_parm->k4, tlv_ptr.eigrp_tlv_general_parm->k5)); break;
+ show +
102
103
104
105
106
case EIGRP_TLV_SW_VERSION: tlv_ptr.eigrp_tlv_sw_version = (const struct eigrp_tlv_sw_version_t *)tlv_tptr; ND_PRINT((ndo, "\n\t IOS version: %u.%u, EIGRP version %u.%u", tlv_ptr.eigrp_tlv_sw_version->ios_major,
+ show +
107
108
109
110
111
112
113
114
115
116
tlv_ptr.eigrp_tlv_sw_version->ios_minor, tlv_ptr.eigrp_tlv_sw_version->eigrp_major, tlv_ptr.eigrp_tlv_sw_version->eigrp_minor)); break; case EIGRP_TLV_IP_INT: tlv_ptr.eigrp_tlv_ip_int = (const struct eigrp_tlv_ip_int_t *)tlv_tptr; bit_length = tlv_ptr.eigrp_tlv_ip_int->plen; if (bit_length > 32) {

[tcpdump_CVE-2017-12901_1486251192_eigrp_print.diff] eigrp_print_OLD.c #5
case EIGRP_TLV_IP_INT: tlv_ptr.eigrp_tlv_ip_int = (const struct eigrp_tlv_ip_int_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_ip_int)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_ip_int)))); + break; + } bit_length = tlv_ptr.eigrp_tlv_ip_int->plen; if (bit_length > 32) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12901_before_1mo_1471267648_eigrp_print.c
102
103
104
105
106
107
108
109
110
111
case EIGRP_TLV_SW_VERSION: tlv_ptr.eigrp_tlv_sw_version = (const struct eigrp_tlv_sw_version_t *)tlv_tptr; ND_PRINT((ndo, "\n\t IOS version: %u.%u, EIGRP version %u.%u", tlv_ptr.eigrp_tlv_sw_version->ios_major, tlv_ptr.eigrp_tlv_sw_version->ios_minor, tlv_ptr.eigrp_tlv_sw_version->eigrp_major, tlv_ptr.eigrp_tlv_sw_version->eigrp_minor)); break;
+ show +
112
113
114
115
116
case EIGRP_TLV_IP_INT: tlv_ptr.eigrp_tlv_ip_int = (const struct eigrp_tlv_ip_int_t *)tlv_tptr; bit_length = tlv_ptr.eigrp_tlv_ip_int->plen; if (bit_length > 32) {
+ show +
117
118
119
120
121
122
123
124
125
126
ND_PRINT((ndo, "\n\t illegal prefix length %u",bit_length)); break; } byte_length = (bit_length + 7) / 8; /* variable length encoding */ memset(prefix, 0, 4); memcpy(prefix,&tlv_ptr.eigrp_tlv_ip_int->destination,byte_length); ND_PRINT((ndo, "\n\t IPv4 prefix: %15s/%u, nexthop: ", ipaddr_string(ndo, prefix), bit_length));

[tcpdump_CVE-2017-12901_1486251192_eigrp_print.diff] eigrp_print_OLD.c #6
case EIGRP_TLV_IP_EXT: tlv_ptr.eigrp_tlv_ip_ext = (const struct eigrp_tlv_ip_ext_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_ip_ext)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_ip_ext)))); + break; + } bit_length = tlv_ptr.eigrp_tlv_ip_ext->plen; if (bit_length > 32) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12901_before_1mo_1471267648_eigrp_print.c
131
132
133
134
135
136
137
138
139
140
ND_PRINT((ndo, "\n\t delay %u ms, bandwidth %u Kbps, mtu %u, hop %u, reliability %u, load %u", (EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_ip_int->delay)/100), EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_ip_int->bandwidth), EXTRACT_24BITS(&tlv_ptr.eigrp_tlv_ip_int->mtu), tlv_ptr.eigrp_tlv_ip_int->hopcount, tlv_ptr.eigrp_tlv_ip_int->reliability, tlv_ptr.eigrp_tlv_ip_int->load)); break;
+ show +
141
142
143
144
145
case EIGRP_TLV_IP_EXT: tlv_ptr.eigrp_tlv_ip_ext = (const struct eigrp_tlv_ip_ext_t *)tlv_tptr; bit_length = tlv_ptr.eigrp_tlv_ip_ext->plen; if (bit_length > 32) {
+ show +
146
147
148
149
150
151
152
153
154
155
ND_PRINT((ndo, "\n\t illegal prefix length %u",bit_length)); break; } byte_length = (bit_length + 7) / 8; /* variable length encoding */ memset(prefix, 0, 4); memcpy(prefix,&tlv_ptr.eigrp_tlv_ip_ext->destination,byte_length); ND_PRINT((ndo, "\n\t IPv4 prefix: %15s/%u, nexthop: ", ipaddr_string(ndo, prefix), bit_length));

[tcpdump_CVE-2017-12901_1486251192_eigrp_print.diff] eigrp_print_OLD.c #7
case EIGRP_TLV_AT_CABLE_SETUP: tlv_ptr.eigrp_tlv_at_cable_setup = (const struct eigrp_tlv_at_cable_setup_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_at_cable_setup)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_at_cable_setup)))); + break; + } ND_PRINT((ndo, "\n\t Cable-range: %u-%u, Router-ID %u", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_cable_setup->cable_start),
.\cloneFuncs\totalClone\Type-1\CVE-2017-12901_before_1mo_1471267648_eigrp_print.c
168
169
170
171
172
173
174
175
176
177
ND_PRINT((ndo, "\n\t delay %u ms, bandwidth %u Kbps, mtu %u, hop %u, reliability %u, load %u", (EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_ip_ext->delay)/100), EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_ip_ext->bandwidth), EXTRACT_24BITS(&tlv_ptr.eigrp_tlv_ip_ext->mtu), tlv_ptr.eigrp_tlv_ip_ext->hopcount, tlv_ptr.eigrp_tlv_ip_ext->reliability, tlv_ptr.eigrp_tlv_ip_ext->load)); break;
+ show +
178
179
180
181
182
case EIGRP_TLV_AT_CABLE_SETUP: tlv_ptr.eigrp_tlv_at_cable_setup = (const struct eigrp_tlv_at_cable_setup_t *)tlv_tptr; ND_PRINT((ndo, "\n\t Cable-range: %u-%u, Router-ID %u", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_cable_setup->cable_start),
+ show +
183
184
185
186
187
188
189
190
191
192
EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_cable_setup->cable_end), EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_at_cable_setup->router_id))); break; case EIGRP_TLV_AT_INT: tlv_ptr.eigrp_tlv_at_int = (const struct eigrp_tlv_at_int_t *)tlv_tptr; ND_PRINT((ndo, "\n\t Cable-Range: %u-%u, nexthop: ", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_int->cable_start), EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_int->cable_end)));

[tcpdump_CVE-2017-12901_1486251192_eigrp_print.diff] eigrp_print_OLD.c #8
case EIGRP_TLV_AT_INT: tlv_ptr.eigrp_tlv_at_int = (const struct eigrp_tlv_at_int_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_at_int)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_at_int)))); + break; + } ND_PRINT((ndo, "\n\t Cable-Range: %u-%u, nexthop: ", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_int->cable_start),
.\cloneFuncs\totalClone\Type-1\CVE-2017-12901_before_1mo_1471267648_eigrp_print.c
177
178
179
180
181
182
183
184
185
186
case EIGRP_TLV_AT_CABLE_SETUP: tlv_ptr.eigrp_tlv_at_cable_setup = (const struct eigrp_tlv_at_cable_setup_t *)tlv_tptr; ND_PRINT((ndo, "\n\t Cable-range: %u-%u, Router-ID %u", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_cable_setup->cable_start), EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_cable_setup->cable_end), EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_at_cable_setup->router_id))); break;
+ show +
187
188
189
190
191
case EIGRP_TLV_AT_INT: tlv_ptr.eigrp_tlv_at_int = (const struct eigrp_tlv_at_int_t *)tlv_tptr; ND_PRINT((ndo, "\n\t Cable-Range: %u-%u, nexthop: ", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_int->cable_start),
+ show +
192
193
194
195
196
197
198
199
200
201
EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_int->cable_end))); if (EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_at_int->nexthop) == 0) ND_PRINT((ndo, "self")); else ND_PRINT((ndo, "%u.%u", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_int->nexthop), EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_int->nexthop[2]))); ND_PRINT((ndo, "\n\t delay %u ms, bandwidth %u Kbps, mtu %u, hop %u, reliability %u, load %u",

[tcpdump_CVE-2017-12901_1486251192_eigrp_print.diff] eigrp_print_OLD.c #9
case EIGRP_TLV_AT_EXT: tlv_ptr.eigrp_tlv_at_ext = (const struct eigrp_tlv_at_ext_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_at_ext)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_at_ext)))); + break; + } ND_PRINT((ndo, "\n\t Cable-Range: %u-%u, nexthop: ", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_ext->cable_start),
.\cloneFuncs\totalClone\Type-1\CVE-2017-12901_before_1mo_1471267648_eigrp_print.c
200
201
202
203
204
205
206
207
208
209
ND_PRINT((ndo, "\n\t delay %u ms, bandwidth %u Kbps, mtu %u, hop %u, reliability %u, load %u", (EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_at_int->delay)/100), EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_at_int->bandwidth), EXTRACT_24BITS(&tlv_ptr.eigrp_tlv_at_int->mtu), tlv_ptr.eigrp_tlv_at_int->hopcount, tlv_ptr.eigrp_tlv_at_int->reliability, tlv_ptr.eigrp_tlv_at_int->load)); break;
+ show +
210
211
212
213
214
case EIGRP_TLV_AT_EXT: tlv_ptr.eigrp_tlv_at_ext = (const struct eigrp_tlv_at_ext_t *)tlv_tptr; ND_PRINT((ndo, "\n\t Cable-Range: %u-%u, nexthop: ", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_ext->cable_start),
+ show +
215
216
217
218
219
220
221
222
223
224
EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_ext->cable_end))); if (EXTRACT_32BITS(&tlv_ptr.eigrp_tlv_at_ext->nexthop) == 0) ND_PRINT((ndo, "self")); else ND_PRINT((ndo, "%u.%u", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_ext->nexthop), EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_ext->nexthop[2]))); ND_PRINT((ndo, "\n\t origin-router %u, origin-as %u, origin-proto %s, flags [0x%02x], tag 0x%08x, metric %u",

[tcpdump_CVE-2017-12902_1486262327_zephyr_print.diff] zephyr_print_OLD.c #1
int parselen = length; const char *s; int lose = 0; + int truncated = 0; /* squelch compiler warnings */
.\cloneFuncs\totalClone\Type-1\CVE-2017-12902_before_1mo_1471182139_zephyr_print.c
1
2
3
4
5
void zephyr_print(netdissect_options *ndo, const u_char *cp, int length) { struct z_packet z; const char *parse = (const char *) cp;
+ show +
6
7
8
9
10
int parselen = length; const char *s; int lose = 0; /* squelch compiler warnings */
+ show +
11
12
13
14
15
16
17
18
19
20
z.kind = 0; z.class = 0; z.inst = 0; z.opcode = 0; z.sender = 0; z.recipient = 0; #define PARSE_STRING \ s = parse_field(ndo, &parse, &parselen); \

[tcpdump_CVE-2017-12902_1486262327_zephyr_print.diff] zephyr_print_OLD.c #2
z.sender = 0; z.recipient = 0; -#define PARSE_STRING \ - s = parse_field(ndo, &parse, &parselen); \ +#define PARSE_STRING \ + s = parse_field(ndo, &parse, &parselen, &truncated); \ + if (truncated) goto trunc; \ if (!s) lose = 1; #define PARSE_FIELD_INT(field) \
.\cloneFuncs\totalClone\Type-1\CVE-2017-12902_before_1mo_1471182139_zephyr_print.c
6
7
8
9
10
11
12
13
14
15
int parselen = length; const char *s; int lose = 0; /* squelch compiler warnings */ z.kind = 0; z.class = 0; z.inst = 0; z.opcode = 0;
+ show +
16
17
18
19
20
21
22
23
z.sender = 0; z.recipient = 0; #define PARSE_STRING \ s = parse_field(ndo, &parse, &parselen); \ if (!s) lose = 1; #define PARSE_FIELD_INT(field) \
+ show +
24
25
26
27
28
29
30
31
32
33
PARSE_STRING \ if (!lose) field = strtol(s, 0, 16); #define PARSE_FIELD_STR(field) \ PARSE_STRING \ if (!lose) field = s; PARSE_FIELD_STR(z.version); if (lose) return; if (strncmp(z.version, "ZEPH", 4))

[tcpdump_CVE-2017-12902_1486262327_zephyr_print.diff] zephyr_print_OLD.c #3
PARSE_FIELD_INT(z.multi); PARSE_FIELD_STR(z.multi_uid); - if (lose) { - ND_PRINT((ndo, " [|zephyr] (%d)", length)); - return; - } + if (lose) + goto trunc; ND_PRINT((ndo, " zephyr")); if (strncmp(z.version+4, "0.2", 3)) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12902_before_1mo_1471182139_zephyr_print.c
40
41
42
43
44
45
46
47
48
49
PARSE_FIELD_INT(z.auth); PARSE_FIELD_INT(z.authlen); PARSE_FIELD_STR(z.authdata); PARSE_FIELD_STR(z.class); PARSE_FIELD_STR(z.inst); PARSE_FIELD_STR(z.opcode); PARSE_FIELD_STR(z.sender); PARSE_FIELD_STR(z.recipient); PARSE_FIELD_STR(z.format); PARSE_FIELD_INT(z.cksum);
+ show +
50
51
52
53
54
55
56
57
58
59
PARSE_FIELD_INT(z.multi); PARSE_FIELD_STR(z.multi_uid); if (lose) { ND_PRINT((ndo, " [|zephyr] (%d)", length)); return; } ND_PRINT((ndo, " zephyr")); if (strncmp(z.version+4, "0.2", 3)) {
+ show +
60
61
62
63
64
65
66
67
68
69
ND_PRINT((ndo, " v%s", z.version+4)); return; } ND_PRINT((ndo, " %s", tok2str(z_types, "type %d", z.kind))); if (z.kind == Z_PACKET_SERVACK) { /* Initialization to silence warnings */ const char *ackdata = NULL; PARSE_FIELD_STR(ackdata); if (!lose && strcmp(ackdata, "SENT"))

[tcpdump_CVE-2017-12987_1486409082_parse_elements.diff] parse_elements_OLD.c #1
offset += 3; length -= 3; - memcpy(tim.bitmap, p + (tim.length - 3), - (tim.length - 3)); + memcpy(tim.bitmap, p + offset + 3, tim.length - 3); offset += tim.length - 3; length -= tim.length - 3; /*
.\cloneFuncs\totalClone\Type-1\CVE-2017-12987_before_1mo_1471182139_parse_elements.c
183
184
185
186
187
188
189
190
191
192
offset += 2; length -= 2; if (tim.length <= 3) { offset += tim.length; length -= tim.length; break; } if (tim.length - 3 > (int)sizeof tim.bitmap) return 0; memcpy(&tim.count, p + offset, 3);
+ show +
193
194
195
196
197
198
199
200
offset += 3; length -= 3; memcpy(tim.bitmap, p + (tim.length - 3), (tim.length - 3)); offset += tim.length - 3; length -= tim.length - 3; /*
+ show +
201
202
203
204
205
206
207
208
209
210
* Present and not truncated. * * If we haven't already seen a TIM IE, * copy this one, otherwise ignore this one, * so we later report the first one we saw. */ if (!pbody->tim_present) { pbody->tim = tim; pbody->tim_present = 1; }

[tcpdump_CVE-2017-13008_1488822169_parse_elements.diff] parse_elements_OLD.c #1
if (ssid.length != 0) { if (ssid.length > sizeof(ssid.ssid) - 1) return 0; - if (!ND_TTEST2(*(p + offset), ssid.length)) - return 0; - if (length < ssid.length) - return 0; memcpy(&ssid.ssid, p + offset, ssid.length); offset += ssid.length; length -= ssid.length;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12987_before_1mo_1471182139_parse_elements.c
33
34
35
36
37
38
39
40
41
42
if (!ND_TTEST2(*(p + offset + 2), elementlen)) return 0; if (length < elementlen + 2) return 0; switch (*(p + offset)) { case E_SSID: memcpy(&ssid, p + offset, 2); offset += 2; length -= 2;
+ show +
43
44
45
46
47
48
49
50
51
52
if (ssid.length != 0) { if (ssid.length > sizeof(ssid.ssid) - 1) return 0; if (!ND_TTEST2(*(p + offset), ssid.length)) return 0; if (length < ssid.length) return 0; memcpy(&ssid.ssid, p + offset, ssid.length); offset += ssid.length; length -= ssid.length;
+ show +
53
54
55
56
57
58
59
60
61
62
} ssid.ssid[ssid.length] = '\0'; /* * Present and not truncated. * * If we haven't already seen an SSID IE, * copy this one, otherwise ignore this one, * so we later report the first one we saw. */ if (!pbody->ssid_present) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13008_before_imd_1486409082_parse_elements.c
33
34
35
36
37
38
39
40
41
42
if (!ND_TTEST2(*(p + offset + 2), elementlen)) return 0; if (length < elementlen + 2) return 0; switch (*(p + offset)) { case E_SSID: memcpy(&ssid, p + offset, 2); offset += 2; length -= 2;
+ show +
43
44
45
46
47
48
49
50
51
52
if (ssid.length != 0) { if (ssid.length > sizeof(ssid.ssid) - 1) return 0; if (!ND_TTEST2(*(p + offset), ssid.length)) return 0; if (length < ssid.length) return 0; memcpy(&ssid.ssid, p + offset, ssid.length); offset += ssid.length; length -= ssid.length;
+ show +
53
54
55
56
57
58
59
60
61
62
} ssid.ssid[ssid.length] = '\0'; /* * Present and not truncated. * * If we haven't already seen an SSID IE, * copy this one, otherwise ignore this one, * so we later report the first one we saw. */ if (!pbody->ssid_present) {

[tcpdump_CVE-2017-13008_1488822169_parse_elements.diff] parse_elements_OLD.c #2
if (challenge.length > sizeof(challenge.text) - 1) return 0; - if (!ND_TTEST2(*(p + offset), challenge.length)) - return 0; - if (length < challenge.length) - return 0; memcpy(&challenge.text, p + offset, challenge.length); offset += challenge.length;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12987_before_1mo_1471182139_parse_elements.c
62
63
64
65
66
67
68
69
70
71
if (!pbody->ssid_present) { pbody->ssid = ssid; pbody->ssid_present = 1; } break; case E_CHALLENGE: memcpy(&challenge, p + offset, 2); offset += 2; length -= 2; if (challenge.length != 0) {
+ show +
72
73
74
75
76
77
78
79
80
81
if (challenge.length > sizeof(challenge.text) - 1) return 0; if (!ND_TTEST2(*(p + offset), challenge.length)) return 0; if (length < challenge.length) return 0; memcpy(&challenge.text, p + offset, challenge.length); offset += challenge.length;
+ show +
82
83
84
85
86
87
88
89
90
91
length -= challenge.length; } challenge.text[challenge.length] = '\0'; /* * Present and not truncated. * * If we haven't already seen a challenge IE, * copy this one, otherwise ignore this one, * so we later report the first one we saw. */
.\cloneFuncs\totalClone\Type-1\CVE-2017-13008_before_imd_1486409082_parse_elements.c
62
63
64
65
66
67
68
69
70
71
if (!pbody->ssid_present) { pbody->ssid = ssid; pbody->ssid_present = 1; } break; case E_CHALLENGE: memcpy(&challenge, p + offset, 2); offset += 2; length -= 2; if (challenge.length != 0) {
+ show +
72
73
74
75
76
77
78
79
80
81
if (challenge.length > sizeof(challenge.text) - 1) return 0; if (!ND_TTEST2(*(p + offset), challenge.length)) return 0; if (length < challenge.length) return 0; memcpy(&challenge.text, p + offset, challenge.length); offset += challenge.length;
+ show +
82
83
84
85
86
87
88
89
90
91
length -= challenge.length; } challenge.text[challenge.length] = '\0'; /* * Present and not truncated. * * If we haven't already seen a challenge IE, * copy this one, otherwise ignore this one, * so we later report the first one we saw. */

[tcpdump_CVE-2017-13008_1488822169_parse_elements.diff] parse_elements_OLD.c #3
if (rates.length != 0) { if (rates.length > sizeof rates.rate) return 0; - if (!ND_TTEST2(*(p + offset), rates.length)) - return 0; - if (length < rates.length) - return 0; memcpy(&rates.rate, p + offset, rates.length); offset += rates.length; length -= rates.length;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12987_before_1mo_1471182139_parse_elements.c
91
92
93
94
95
96
97
98
99
100
*/ if (!pbody->challenge_present) { pbody->challenge = challenge; pbody->challenge_present = 1; } break; case E_RATES: memcpy(&rates, p + offset, 2); offset += 2; length -= 2;
+ show +
101
102
103
104
105
106
107
108
109
110
if (rates.length != 0) { if (rates.length > sizeof rates.rate) return 0; if (!ND_TTEST2(*(p + offset), rates.length)) return 0; if (length < rates.length) return 0; memcpy(&rates.rate, p + offset, rates.length); offset += rates.length; length -= rates.length;
+ show +
111
112
113
114
115
116
117
118
119
120
} /* * Present and not truncated. * * If we haven't already seen a rates IE, * copy this one if it's not zero-length, * otherwise ignore this one, so we later * report the first one we saw. * * We ignore zero-length rates IEs as some
.\cloneFuncs\totalClone\Type-1\CVE-2017-13008_before_imd_1486409082_parse_elements.c
91
92
93
94
95
96
97
98
99
100
*/ if (!pbody->challenge_present) { pbody->challenge = challenge; pbody->challenge_present = 1; } break; case E_RATES: memcpy(&rates, p + offset, 2); offset += 2; length -= 2;
+ show +
101
102
103
104
105
106
107
108
109
110
if (rates.length != 0) { if (rates.length > sizeof rates.rate) return 0; if (!ND_TTEST2(*(p + offset), rates.length)) return 0; if (length < rates.length) return 0; memcpy(&rates.rate, p + offset, rates.length); offset += rates.length; length -= rates.length;
+ show +
111
112
113
114
115
116
117
118
119
120
} /* * Present and not truncated. * * If we haven't already seen a rates IE, * copy this one if it's not zero-length, * otherwise ignore this one, so we later * report the first one we saw. * * We ignore zero-length rates IEs as some

[tcpdump_CVE-2017-12988_1486422785_telnet_parse.diff] telnet_parse_OLD.c #1
break; p++; } + ND_TCHECK(*p); if (*p != IAC) goto pktend;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12988_before_imd_1476296529_telnet_parse.c
44
45
46
47
48
49
50
51
52
53
if (print) ND_PRINT((ndo, "%s %#x", telcmds[i], x)); } if (c != SB) break; /* IAC SB .... IAC SE */ p = sp; while (length > (u_int)(p + 1 - sp)) { ND_TCHECK2(*p, 2); if (p[0] == IAC && p[1] == SE)
+ show +
54
55
56
57
58
break; p++; } if (*p != IAC) goto pktend;
+ show +
59
60
61
62
63
64
65
66
67
68
switch (x) { case TELOPT_AUTHENTICATION: if (p <= sp) break; FETCH(c, sp, length); if (print) ND_PRINT((ndo, " %s", STR_OR_ID(c, authcmd))); if (p <= sp) break;
.\cloneFuncs\totalClone\Type-3\CVE-2017-12988_before_1mo_1476001484_telnet_parse.c
43
44
45
46
47
48
49
50
51
52
} else { if (print) ND_PRINT((ndo, "%s %#x", telcmds[i], x)); } if (c != SB) break; /* IAC SB .... IAC SE */ p = sp; while (length > (u_int)(p + 1 - sp)) { if (p[0] == IAC && p[1] == SE)
+ show +
53
54
55
56
57
break; p++; } if (*p != IAC) goto pktend;
+ show +
58
59
60
61
62
63
64
65
66
67
switch (x) { case TELOPT_AUTHENTICATION: if (p <= sp) break; FETCH(c, sp, length); if (print) ND_PRINT((ndo, " %s", STR_OR_ID(c, authcmd))); if (p <= sp) break;
.\cloneFuncs\totalClone\Type-3\CVE-2017-12988_before_6mo_1441831358_telnet_parse.c
43
44
45
46
47
48
49
50
51
52
} else { if (print) ND_PRINT((ndo, "%s %#x", telcmds[i], x)); } if (c != SB) break; /* IAC SB .... IAC SE */ p = sp; while (length > (u_int)(p + 1 - sp)) { if (p[0] == IAC && p[1] == SE)
+ show +
53
54
55
56
57
break; p++; } if (*p != IAC) goto pktend;
+ show +
58
59
60
61
62
63
64
65
66
67
switch (x) { case TELOPT_AUTHENTICATION: if (p <= sp) break; FETCH(c, sp, length); if (print) ND_PRINT((ndo, " %s", STR_OR_ID(c, authcmd))); if (p <= sp) break;

[tcpdump_CVE-2017-12989_1486455213_resp_get_length.diff] resp_get_length_OLD.c #1
ND_TCHECK(*bp); c = *bp; if (!(c >= '0' && c <= '9')) { - if (!saw_digit) + if (!saw_digit) { + bp++; goto invalid; + } break; } c -= '0';
.\cloneFuncs\totalClone\Type-1\CVE-2017-12989_before_imd_1477596174_resp_get_length.c
16
17
18
19
20
21
22
23
24
25
neg = 1; bp++; len--; } result = 0; saw_digit = 0; for (;;) { if (len == 0) goto trunc;
+ show +
26
27
28
29
30
31
32
33
ND_TCHECK(*bp); c = *bp; if (!(c >= '0' && c <= '9')) { if (!saw_digit) goto invalid; break; } c -= '0';
+ show +
34
35
36
37
38
39
40
41
42
43
if (result > (INT_MAX / 10)) { /* This will overflow an int when we multiply it by 10. */ too_large = 1; } else { result *= 10; if (result == INT_MAX && c > (INT_MAX % 10)) { /* This will overflow an int when we add c */ too_large = 1; } else result += c;

[tcpdump_CVE-2017-12989_1486455213_resp_get_length.diff] resp_get_length_OLD.c #2
if (len == 0) goto trunc; ND_TCHECK(*bp); - if (*bp != '\r') + if (*bp != '\r') { + bp++; goto invalid; + } bp++; len--; if (len == 0) goto trunc; ND_TCHECK(*bp); - if (*bp != '\n') + if (*bp != '\n') { + bp++; goto invalid; + } bp++; len--; *endp = bp;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12989_before_imd_1477596174_resp_get_length.c
45
46
47
48
49
50
51
52
53
54
bp++; len--; saw_digit = 1; } if (!saw_digit) goto invalid; /* * OK, the next thing should be \r\n. */
+ show +
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
if (len == 0) goto trunc; ND_TCHECK(*bp); if (*bp != '\r') goto invalid; bp++; len--; if (len == 0) goto trunc; ND_TCHECK(*bp); if (*bp != '\n') goto invalid; bp++; len--; *endp = bp;
+ show +
70
71
72
73
74
75
76
77
78
79
if (neg) { /* -1 means "null", anything else is invalid */ if (too_large || result != 1) return (-4); result = -1; } return (too_large ? -3 : result); trunc: return (-2);

[tcpdump_CVE-2017-13690_1503547722_ikev2_auth_print.diff] ikev2_auth_print_OLD.c #1
const u_char *authdata = (const u_char*)ext + sizeof(a); unsigned int len; - ND_TCHECK(*ext); + ND_TCHECK2(*ext, sizeof(a)); UNALIGNED_MEMCPY(&a, ext, sizeof(a)); ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical); len = ntohs(a.h.len);
.\cloneFuncs\totalClone\Type-1\CVE-2017-12990_after_1mo_1503546339_ikev2_auth_print.c
1
2
3
4
5
6
7
8
9
10
static const u_char * ikev2_auth_print(netdissect_options *ndo, u_char tpay, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, uint32_t proto _U_, int depth _U_) { struct ikev2_auth a; const char *v2_auth[]={ "invalid", "rsasig", "shared-secret", "dsssig" };
+ show +
11
12
13
14
15
16
17
const u_char *authdata = (const u_char*)ext + sizeof(a); unsigned int len; ND_TCHECK(*ext); UNALIGNED_MEMCPY(&a, ext, sizeof(a)); ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical); len = ntohs(a.h.len);
+ show +
18
19
20
21
22
23
24
25
26
27
/* * Our caller has ensured that the length is >= 4. */ ND_PRINT((ndo," len=%u method=%s", len-4, STR_OR_ID(a.auth_method, v2_auth))); if (len > 4) { if (ndo->ndo_vflag > 1) { ND_PRINT((ndo, " authdata=(")); if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
.\cloneFuncs\totalClone\Type-1\CVE-2017-12990_before_1mo_1473623126_ikev2_auth_print.c
1
2
3
4
5
6
7
8
9
10
static const u_char * ikev2_auth_print(netdissect_options *ndo, u_char tpay, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, uint32_t proto _U_, int depth _U_) { struct ikev2_auth a; const char *v2_auth[]={ "invalid", "rsasig", "shared-secret", "dsssig" };
+ show +
11
12
13
14
15
16
17
const u_char *authdata = (const u_char*)ext + sizeof(a); unsigned int len; ND_TCHECK(*ext); UNALIGNED_MEMCPY(&a, ext, sizeof(a)); ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical); len = ntohs(a.h.len);
+ show +
18
19
20
21
22
23
24
25
26
27
ND_PRINT((ndo," len=%d method=%s", len-4, STR_OR_ID(a.auth_method, v2_auth))); if (1 < ndo->ndo_vflag && 4 < len) { ND_PRINT((ndo," authdata=(")); if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a))) goto trunc; ND_PRINT((ndo,") ")); } else if(ndo->ndo_vflag && 4 < len) {

[tcpdump_CVE-2017-12990_1486420430_ikev1_n_print.diff] ikev1_n_print_OLD.c #1
static const u_char * ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, uint32_t phase, uint32_t doi0 _U_, - uint32_t proto0 _U_, int depth) + const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_, + uint32_t proto0 _U_, int depth _U_) { const struct ikev1_pl_n *p; struct ikev1_pl_n n;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12990_before_1mo_1473623126_ikev1_n_print.c
+ show +
1
2
3
4
5
6
7
8
static const u_char * ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len, const u_char *ep, uint32_t phase, uint32_t doi0 _U_, uint32_t proto0 _U_, int depth) { const struct ikev1_pl_n *p; struct ikev1_pl_n n;
+ show +
9
10
11
12
13
14
15
16
17
18
const u_char *cp; const u_char *ep2; uint32_t doi; uint32_t proto; static const char *notify_error_str[] = { NULL, "INVALID-PAYLOAD-TYPE", "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", "INVALID-COOKIE", "INVALID-MAJOR-VERSION", "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", "INVALID-FLAGS", "INVALID-MESSAGE-ID",

[tcpdump_CVE-2017-12990_1486420430_ikev2_n_print.diff] ikev2_n_print_OLD.c #1
const struct ikev2_n *p; struct ikev2_n n; const u_char *cp; - u_char showspi, showdata, showsomedata; + u_char showspi, showsomedata; const char *notify_name; uint32_t type;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12990_before_1mo_1473623126_ikev2_n_print.c
1
2
3
4
5
6
7
static const u_char * ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len, const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, uint32_t proto _U_, int depth _U_) {
+ show +
8
9
10
11
12
13
const struct ikev2_n *p; struct ikev2_n n; const u_char *cp; u_char showspi, showdata, showsomedata; const char *notify_name; uint32_t type;
+ show +
14
15
16
17
18
19
20
21
22
23
p = (const struct ikev2_n *)ext; ND_TCHECK(*p); UNALIGNED_MEMCPY(&n, ext, sizeof(n)); ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); showspi = 1; showdata = 0; showsomedata=0; notify_name=NULL;

[tcpdump_CVE-2017-12990_1486420430_ikev2_n_print.diff] ikev2_n_print_OLD.c #2
ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); showspi = 1; - showdata = 0; showsomedata=0; notify_name=NULL;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12990_before_1mo_1473623126_ikev2_n_print.c
8
9
10
11
12
13
14
15
16
17
const struct ikev2_n *p; struct ikev2_n n; const u_char *cp; u_char showspi, showdata, showsomedata; const char *notify_name; uint32_t type; p = (const struct ikev2_n *)ext; ND_TCHECK(*p); UNALIGNED_MEMCPY(&n, ext, sizeof(n));
+ show +
18
19
20
21
22
23
ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); showspi = 1; showdata = 0; showsomedata=0; notify_name=NULL;
+ show +
24
25
26
27
28
29
30
31
32
33
ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id))); type = ntohs(n.type); /* notify space is annoying sparse */ switch(type) { case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD: notify_name = "unsupported_critical_payload"; showspi = 0;

[tcpdump_CVE-2017-12990_1486420430_ikev2_n_print.diff] ikev2_n_print_OLD.c #3
notify_name = "cookie"; showspi = 1; showsomedata= 1; - showdata= 0; break; case IV2_NOTIFY_USE_TRANSPORT_MODE:
.\cloneFuncs\totalClone\Type-1\CVE-2017-12990_before_1mo_1473623126_ikev2_n_print.c
122
123
124
125
126
127
128
129
130
131
notify_name = "nat_detection_source_ip"; showspi = 1; break; case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP: notify_name = "nat_detection_destination_ip"; showspi = 1; break; case IV2_NOTIFY_COOKIE:
+ show +
132
133
134
135
136
137
138
notify_name = "cookie"; showspi = 1; showsomedata= 1; showdata= 0; break; case IV2_NOTIFY_USE_TRANSPORT_MODE:
+ show +
139
140
141
142
143
144
145
146
147
148
notify_name = "use_transport_mode"; showspi = 0; break; case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED: notify_name = "http_cert_lookup_supported"; showspi = 0; break; case IV2_NOTIFY_REKEY_SA:

[tcpdump_CVE-2017-12991_1486412078_bgp_attr_print.diff] bgp_attr_print_OLD.c #1
ND_TCHECK(tptr[0]); ND_PRINT((ndo, "%s", tok2str(bgp_as_path_segment_open_values, "?", tptr[0]))); + ND_TCHECK(tptr[1]); for (i = 0; i < tptr[1] * as_size; i += as_size) { ND_TCHECK2(tptr[2 + i], as_size); ND_PRINT((ndo, "%s ",
.\cloneFuncs\totalClone\Type-1\CVE-2017-12991_before_1mo_1477512990_bgp_attr_print.c
48
49
50
51
52
53
54
55
56
57
* BGP updates exchanged between New speakers that support 4 * byte AS, ASs are always encoded in 4 bytes. There is no * definitive way to find this, just by the packet's * contents. So, check for packet's TLV's sanity assuming * 2 bytes first, and it does not pass, assume that ASs are * encoded in 4 bytes format and move on. */ as_size = bgp_attr_get_as_size(ndo, atype, pptr, len); while (tptr < pptr + len) {
+ show +
58
59
60
61
62
63
ND_TCHECK(tptr[0]); ND_PRINT((ndo, "%s", tok2str(bgp_as_path_segment_open_values, "?", tptr[0]))); for (i = 0; i < tptr[1] * as_size; i += as_size) { ND_TCHECK2(tptr[2 + i], as_size); ND_PRINT((ndo, "%s ",
+ show +
64
65
66
67
68
69
70
71
72
73
as_printf(ndo, astostr, sizeof(astostr), as_size == 2 ? EXTRACT_16BITS(&tptr[2 + i]) : EXTRACT_32BITS(&tptr[2 + i])))); } ND_TCHECK(tptr[0]); ND_PRINT((ndo, "%s", tok2str(bgp_as_path_segment_close_values, "?", tptr[0]))); ND_TCHECK(tptr[1]); tptr += 2 + tptr[1] * as_size;
.\cloneFuncs\totalClone\Type-3\CVE-2017-12991_before_6mo_1468230214_bgp_attr_print.c
49
50
51
52
53
54
55
56
57
58
* BGP updates exchanged between New speakers that support 4 * byte AS, ASs are always encoded in 4 bytes. There is no * definitive way to find this, just by the packet's * contents. So, check for packet's TLV's sanity assuming * 2 bytes first, and it does not pass, assume that ASs are * encoded in 4 bytes format and move on. */ as_size = bgp_attr_get_as_size(ndo, atype, pptr, len); while (tptr < pptr + len) {
+ show +
59
60
61
62
63
64
ND_TCHECK(tptr[0]); ND_PRINT((ndo, "%s", tok2str(bgp_as_path_segment_open_values, "?", tptr[0]))); for (i = 0; i < tptr[1] * as_size; i += as_size) { ND_TCHECK2(tptr[2 + i], as_size); ND_PRINT((ndo, "%s ",
+ show +
65
66
67
68
69
70
71
72
73
74
as_printf(ndo, astostr, sizeof(astostr), as_size == 2 ? EXTRACT_16BITS(&tptr[2 + i]) : EXTRACT_32BITS(&tptr[2 + i])))); } ND_TCHECK(tptr[0]); ND_PRINT((ndo, "%s", tok2str(bgp_as_path_segment_close_values, "?", tptr[0]))); ND_TCHECK(tptr[1]); tptr += 2 + tptr[1] * as_size;

[tcpdump_CVE-2017-12994_1486498087_bgp_attr_print.diff] bgp_attr_print_OLD.c #1
uint8_t type; uint16_t length; - ND_TCHECK2(tptr[0], 3); - tlen = len; while (tlen >= 3) { + ND_TCHECK2(tptr[0], 3); + type = *tptr; length = EXTRACT_16BITS(tptr+1); + tptr += 3; + tlen -= 3; ND_PRINT((ndo, "\n\t %s TLV (%u), length %u", tok2str(bgp_aigp_values, "Unknown", type), type, length)); + if (length < 3) + goto trunc; + length -= 3; + /* * Check if we can read the TLV data. */ - ND_TCHECK2(tptr[3], length - 3); + ND_TCHECK2(tptr[3], length); switch (type) { case BGP_AIGP_TLV: - ND_TCHECK2(tptr[3], 8); + if (length < 8) + goto trunc; ND_PRINT((ndo, ", metric %" PRIu64, - EXTRACT_64BITS(tptr+3))); + EXTRACT_64BITS(tptr))); break; default: if (ndo->ndo_vflag <= 1) { - print_unknown_data(ndo, tptr+3,"\n\t ", length-3); + print_unknown_data(ndo, tptr,"\n\t ", length); } }
.\cloneFuncs\totalClone\Type-1\CVE-2017-12991_before_1mo_1477512990_bgp_attr_print.c
823
824
825
826
827
828
829
830
831
832
break; default: if (ndo->ndo_vflag <= 1) { print_unknown_data(ndo, tptr, "\n\t ", tlen); } } break; } case BGPTYPE_AIGP: {
+ show +
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
uint8_t type; uint16_t length; ND_TCHECK2(tptr[0], 3); tlen = len; while (tlen >= 3) { type = *tptr; length = EXTRACT_16BITS(tptr+1); ND_PRINT((ndo, "\n\t %s TLV (%u), length %u", tok2str(bgp_aigp_values, "Unknown", type), type, length)); /* * Check if we can read the TLV data. */ ND_TCHECK2(tptr[3], length - 3); switch (type) { case BGP_AIGP_TLV: ND_TCHECK2(tptr[3], 8); ND_PRINT((ndo, ", metric %" PRIu64, EXTRACT_64BITS(tptr+3))); break; default: if (ndo->ndo_vflag <= 1) { print_unknown_data(ndo, tptr+3,"\n\t ", length-3); } }
+ show +
867
868
869
870
871
872
873
874
875
876
tptr += length; tlen -= length; } break; } case BGPTYPE_ATTR_SET: ND_TCHECK2(tptr[0], 4); if (len < 4) goto trunc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-12994_before_imd_1486412078_bgp_attr_print.c
824
825
826
827
828
829
830
831
832
833
break; default: if (ndo->ndo_vflag <= 1) { print_unknown_data(ndo, tptr, "\n\t ", tlen); } } break; } case BGPTYPE_AIGP: {
+ show +
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
uint8_t type; uint16_t length; ND_TCHECK2(tptr[0], 3); tlen = len; while (tlen >= 3) { type = *tptr; length = EXTRACT_16BITS(tptr+1); ND_PRINT((ndo, "\n\t %s TLV (%u), length %u", tok2str(bgp_aigp_values, "Unknown", type), type, length)); /* * Check if we can read the TLV data. */ ND_TCHECK2(tptr[3], length - 3); switch (type) { case BGP_AIGP_TLV: ND_TCHECK2(tptr[3], 8); ND_PRINT((ndo, ", metric %" PRIu64, EXTRACT_64BITS(tptr+3))); break; default: if (ndo->ndo_vflag <= 1) { print_unknown_data(ndo, tptr+3,"\n\t ", length-3); } }
+ show +
868
869
870
871
872
873
874
875
876
877
tptr += length; tlen -= length; } break; } case BGPTYPE_ATTR_SET: ND_TCHECK2(tptr[0], 4); if (len < 4) goto trunc;
.\cloneFuncs\totalClone\Type-3\CVE-2017-12991_before_6mo_1468230214_bgp_attr_print.c
824
825
826
827
828
829
830
831
832
833
break; default: if (ndo->ndo_vflag <= 1) { print_unknown_data(ndo, tptr, "\n\t ", tlen); } } break; } case BGPTYPE_AIGP: {
+ show +
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
uint8_t type; uint16_t length; ND_TCHECK2(tptr[0], 3); tlen = len; while (tlen >= 3) { type = *tptr; length = EXTRACT_16BITS(tptr+1); ND_PRINT((ndo, "\n\t %s TLV (%u), length %u", tok2str(bgp_aigp_values, "Unknown", type), type, length)); /* * Check if we can read the TLV data. */ ND_TCHECK2(tptr[3], length - 3); switch (type) { case BGP_AIGP_TLV: ND_TCHECK2(tptr[3], 8); ND_PRINT((ndo, ", metric %" PRIu64, EXTRACT_64BITS(tptr+3))); break; default: if (ndo->ndo_vflag <= 1) { print_unknown_data(ndo, tptr+3,"\n\t ", length-3); } }
+ show +
869
870
871
872
873
874
875
876
877
878
tptr += length; tlen -= length; } break; } case BGPTYPE_ATTR_SET: ND_TCHECK2(tptr[0], 4); if (len < 4) goto trunc;

[tcpdump_CVE-2017-13046_1501796084_bgp_attr_print.diff] bgp_attr_print_OLD.c #1
{ uint8_t tunnel_type, flags; + ND_TCHECK2(tptr[0], 5); tunnel_type = *(tptr+1); flags = *tptr; tlen = len; - ND_TCHECK2(tptr[0], 5); ND_PRINT((ndo, "\n\t Tunnel-type %s (%u), Flags [%s], MPLS Label %u", tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type), tunnel_type,
.\cloneFuncs\totalClone\Type-1\CVE-2017-12991_before_1mo_1477512990_bgp_attr_print.c
764
765
766
767
768
769
770
771
772
773
ND_TCHECK2(*tptr,8); print_unknown_data(ndo, tptr, "\n\t ", 8); break; } tlen -=8; tptr +=8; } break; case BGPTYPE_PMSI_TUNNEL:
+ show +
774
775
776
777
778
779
780
781
782
783
784
{ uint8_t tunnel_type, flags; tunnel_type = *(tptr+1); flags = *tptr; tlen = len; ND_TCHECK2(tptr[0], 5); ND_PRINT((ndo, "\n\t Tunnel-type %s (%u), Flags [%s], MPLS Label %u", tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type), tunnel_type,
+ show +
785
786
787
788
789
790
791
792
793
794
bittok2str(bgp_pmsi_flag_values, "none", flags), EXTRACT_24BITS(tptr+2)>>4)); tptr +=5; tlen -= 5; switch (tunnel_type) { case BGP_PMSI_TUNNEL_PIM_SM: /* fall through */ case BGP_PMSI_TUNNEL_PIM_BIDIR: ND_TCHECK2(tptr[0], 8);
.\cloneFuncs\totalClone\Type-1\CVE-2017-12994_before_imd_1486412078_bgp_attr_print.c
765
766
767
768
769
770
771
772
773
774
ND_TCHECK2(*tptr,8); print_unknown_data(ndo, tptr, "\n\t ", 8); break; } tlen -=8; tptr +=8; } break; case BGPTYPE_PMSI_TUNNEL:
+ show +
775
776
777
778
779
780
781
782
783
784
785
{ uint8_t tunnel_type, flags; tunnel_type = *(tptr+1); flags = *tptr; tlen = len; ND_TCHECK2(tptr[0], 5); ND_PRINT((ndo, "\n\t Tunnel-type %s (%u), Flags [%s], MPLS Label %u", tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type), tunnel_type,
+ show +
786
787
788
789
790
791
792
793
794
795
bittok2str(bgp_pmsi_flag_values, "none", flags), EXTRACT_24BITS(tptr+2)>>4)); tptr +=5; tlen -= 5; switch (tunnel_type) { case BGP_PMSI_TUNNEL_PIM_SM: /* fall through */ case BGP_PMSI_TUNNEL_PIM_BIDIR: ND_TCHECK2(tptr[0], 8);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13046_before_imd_1489136568_bgp_attr_print.c
765
766
767
768
769
770
771
772
773
774
ND_TCHECK2(*tptr,8); print_unknown_data(ndo, tptr, "\n\t ", 8); break; } tlen -=8; tptr +=8; } break; case BGPTYPE_PMSI_TUNNEL:
+ show +
775
776
777
778
779
780
781
782
783
784
785
{ uint8_t tunnel_type, flags; tunnel_type = *(tptr+1); flags = *tptr; tlen = len; ND_TCHECK2(tptr[0], 5); ND_PRINT((ndo, "\n\t Tunnel-type %s (%u), Flags [%s], MPLS Label %u", tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type), tunnel_type,
+ show +
786
787
788
789
790
791
792
793
794
795
bittok2str(bgp_pmsi_flag_values, "none", flags), EXTRACT_24BITS(tptr+2)>>4)); tptr +=5; tlen -= 5; switch (tunnel_type) { case BGP_PMSI_TUNNEL_PIM_SM: /* fall through */ case BGP_PMSI_TUNNEL_PIM_BIDIR: ND_TCHECK2(tptr[0], 8);
.\cloneFuncs\totalClone\Type-3\CVE-2017-12991_after_imd_1486498087_bgp_attr_print.c
765
766
767
768
769
770
771
772
773
774
ND_TCHECK2(*tptr,8); print_unknown_data(ndo, tptr, "\n\t ", 8); break; } tlen -=8; tptr +=8; } break; case BGPTYPE_PMSI_TUNNEL:
+ show +
775
776
777
778
779
780
781
782
783
784
785
{ uint8_t tunnel_type, flags; tunnel_type = *(tptr+1); flags = *tptr; tlen = len; ND_TCHECK2(tptr[0], 5); ND_PRINT((ndo, "\n\t Tunnel-type %s (%u), Flags [%s], MPLS Label %u", tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type), tunnel_type,
+ show +
786
787
788
789
790
791
792
793
794
795
bittok2str(bgp_pmsi_flag_values, "none", flags), EXTRACT_24BITS(tptr+2)>>4)); tptr +=5; tlen -= 5; switch (tunnel_type) { case BGP_PMSI_TUNNEL_PIM_SM: /* fall through */ case BGP_PMSI_TUNNEL_PIM_BIDIR: ND_TCHECK2(tptr[0], 8);
.\cloneFuncs\totalClone\Type-3\CVE-2017-12991_before_6mo_1468230214_bgp_attr_print.c
765
766
767
768
769
770
771
772
773
774
ND_TCHECK2(*tptr,8); print_unknown_data(ndo, tptr, "\n\t ", 8); break; } tlen -=8; tptr +=8; } break; case BGPTYPE_PMSI_TUNNEL:
+ show +
775
776
777
778
779
780
781
782
783
784
785
{ uint8_t tunnel_type, flags; tunnel_type = *(tptr+1); flags = *tptr; tlen = len; ND_TCHECK2(tptr[0], 5); ND_PRINT((ndo, "\n\t Tunnel-type %s (%u), Flags [%s], MPLS Label %u", tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type), tunnel_type,
+ show +
786
787
788
789
790
791
792
793
794
795
bittok2str(bgp_pmsi_flag_values, "none", flags), EXTRACT_24BITS(tptr+2)>>4)); tptr +=5; tlen -= 5; switch (tunnel_type) { case BGP_PMSI_TUNNEL_PIM_SM: /* fall through */ case BGP_PMSI_TUNNEL_PIM_BIDIR: ND_TCHECK2(tptr[0], 8);

[tcpdump_CVE-2017-12998_1487011084_isis_print_extd_ip_reach.diff] isis_print_extd_ip_reach_OLD.c #1
} processed++; } else if (afi == AF_INET6) { - if (!ND_TTEST2(*tptr, 1)) /* fetch status & prefix_len byte */ + if (!ND_TTEST2(*tptr, 2)) /* fetch status & prefix_len byte */ return (0); status_byte=*(tptr++); bit_length=*(tptr++);
.\cloneFuncs\totalClone\Type-1\CVE-2017-12998_before_1mo_1474728230_isis_print_extd_ip_reach.c
15
16
17
18
19
20
21
22
23
24
if (afi == AF_INET) { if (!ND_TTEST2(*tptr, 1)) /* fetch status byte */ return (0); status_byte=*(tptr++); bit_length = status_byte&0x3f; if (bit_length > 32) { ND_PRINT((ndo, "%sIPv4 prefix: bad bit length %u", ident, bit_length)); return (0);
+ show +
25
26
27
28
29
30
31
} processed++; } else if (afi == AF_INET6) { if (!ND_TTEST2(*tptr, 1)) /* fetch status & prefix_len byte */ return (0); status_byte=*(tptr++); bit_length=*(tptr++);
+ show +
32
33
34
35
36
37
38
39
40
41
if (bit_length > 128) { ND_PRINT((ndo, "%sIPv6 prefix: bad bit length %u", ident, bit_length)); return (0); } processed+=2; } else return (0); /* somebody is fooling us */

[tcpdump_CVE-2017-13000_1487715015_ieee802_15_4_if_print.diff] ieee802_15_4_if_print_OLD.c #1
return hdrlen; } if (ndo->ndo_vflag) - ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p + 2))); + ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p))); p += 2; caplen -= 2; hdrlen += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13000_before_imd_1487713219_ieee802_15_4_if_print.c
49
50
51
52
53
54
55
56
57
58
if (caplen < 2) { ND_PRINT((ndo, "[|802.15.4]")); return hdrlen; } panid = EXTRACT_LE_16BITS(p); p += 2; caplen -= 2; hdrlen += 2; if (caplen < 2) { ND_PRINT((ndo, "[|802.15.4]"));
+ show +
59
60
61
62
63
64
65
return hdrlen; } if (ndo->ndo_vflag) ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p + 2))); p += 2; caplen -= 2; hdrlen += 2;
+ show +
66
67
68
69
70
71
72
73
74
75
break; case FC_ADDRESSING_MODE_LONG: if (caplen < 2) { ND_PRINT((ndo, "[|802.15.4]")); return hdrlen; } panid = EXTRACT_LE_16BITS(p); p += 2; caplen -= 2; hdrlen += 2;

[tcpdump_CVE-2017-13002_1487542772_aodv_extension.diff] aodv_extension_OLD.c #1
{ const struct aodv_hello *ah; + ND_TCHECK(*ep); switch (ep->type) { case AODV_EXT_HELLO: ah = (const struct aodv_hello *)(const void *)ep; ND_TCHECK(*ah); if (length < sizeof(struct aodv_hello)) goto trunc; + if (ep->length < 4) { + ND_PRINT((ndo, "\n\text HELLO - bad length %u", ep->length)); + break; + } ND_PRINT((ndo, "\n\text HELLO %ld ms", (unsigned long)EXTRACT_32BITS(&ah->interval))); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13002_before_1mo_1442527004_aodv_extension.c
1
2
3
static void aodv_extension(netdissect_options *ndo, const struct aodv_ext *ep, u_int length)
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
{ const struct aodv_hello *ah; switch (ep->type) { case AODV_EXT_HELLO: ah = (const struct aodv_hello *)(const void *)ep; ND_TCHECK(*ah); if (length < sizeof(struct aodv_hello)) goto trunc; ND_PRINT((ndo, "\n\text HELLO %ld ms", (unsigned long)EXTRACT_32BITS(&ah->interval))); break;
+ show +
16
17
18
19
20
21
22
23
24
25
default: ND_PRINT((ndo, "\n\text %u %u", ep->type, ep->length)); break; } return; trunc: ND_PRINT((ndo, " [|hello]")); }

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #1
const struct lmp_common_header *lmp_com_header; const struct lmp_object_header *lmp_obj_header; const u_char *tptr,*obj_tptr; - int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen; + u_int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen; int hexdump; - int offset,subobj_type,subobj_len,total_subobj_len; - int link_type; + u_int offset; + u_int link_type; union { /* int to float conversion buffer */ float f;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
1
2
3
4
void lmp_print(netdissect_options *ndo, register const u_char *pptr, register u_int len) {
+ show +
5
6
7
8
9
10
11
12
13
14
const struct lmp_common_header *lmp_com_header; const struct lmp_object_header *lmp_obj_header; const u_char *tptr,*obj_tptr; int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen; int hexdump; int offset,subobj_type,subobj_len,total_subobj_len; int link_type; union { /* int to float conversion buffer */ float f;
+ show +
15
16
17
18
19
20
21
22
23
24
uint32_t i; } bw; tptr=pptr; lmp_com_header = (const struct lmp_common_header *)pptr; ND_TCHECK(*lmp_com_header); /* * Sanity checking of the header. */
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
1
2
3
4
void lmp_print(netdissect_options *ndo, register const u_char *pptr, register u_int len) {
+ show +
5
6
7
8
9
10
11
12
13
14
const struct lmp_common_header *lmp_com_header; const struct lmp_object_header *lmp_obj_header; const u_char *tptr,*obj_tptr; int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen; int hexdump; int offset,subobj_type,subobj_len,total_subobj_len; int link_type; union { /* int to float conversion buffer */ float f;
+ show +
15
16
17
18
19
20
21
22
23
24
uint32_t i; } bw; tptr=pptr; lmp_com_header = (const struct lmp_common_header *)pptr; ND_TCHECK(*lmp_com_header); /* * Sanity checking of the header. */

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #2
tok2str(lmp_msg_type_values, "unknown, type: %u",lmp_com_header->msg_type), bittok2str(lmp_header_flag_values,"none",lmp_com_header->flags), tlen)); + if (tlen < sizeof(const struct lmp_common_header)) { + ND_PRINT((ndo, " (too short)")); + return; + } + if (tlen > len) { + ND_PRINT((ndo, " (too long)")); + tlen = len; + } tptr+=sizeof(const struct lmp_common_header); tlen-=sizeof(const struct lmp_common_header);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
36
37
38
39
40
41
42
43
44
45
len)); return; } /* ok they seem to want to know everything - lets fully decode it */ tlen=EXTRACT_16BITS(lmp_com_header->length); ND_PRINT((ndo, "\n\tLMPv%u, msg-type: %s, Flags: [%s], length: %u", LMP_EXTRACT_VERSION(lmp_com_header->version_res[0]),
+ show +
46
47
48
49
50
51
tok2str(lmp_msg_type_values, "unknown, type: %u",lmp_com_header->msg_type), bittok2str(lmp_header_flag_values,"none",lmp_com_header->flags), tlen)); tptr+=sizeof(const struct lmp_common_header); tlen-=sizeof(const struct lmp_common_header);
+ show +
52
53
54
55
56
57
58
59
60
61
while(tlen>0) { /* did we capture enough for fully decoding the object header ? */ ND_TCHECK2(*tptr, sizeof(struct lmp_object_header)); lmp_obj_header = (const struct lmp_object_header *)tptr; lmp_obj_len=EXTRACT_16BITS(lmp_obj_header->length); lmp_obj_ctype=(lmp_obj_header->ctype)&0x7f; if(lmp_obj_len % 4 || lmp_obj_len < 4)
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
36
37
38
39
40
41
42
43
44
45
len)); return; } /* ok they seem to want to know everything - lets fully decode it */ tlen=EXTRACT_16BITS(lmp_com_header->length); ND_PRINT((ndo, "\n\tLMPv%u, msg-type: %s, Flags: [%s], length: %u", LMP_EXTRACT_VERSION(lmp_com_header->version_res[0]),
+ show +
46
47
48
49
50
51
tok2str(lmp_msg_type_values, "unknown, type: %u",lmp_com_header->msg_type), bittok2str(lmp_header_flag_values,"none",lmp_com_header->flags), tlen)); tptr+=sizeof(const struct lmp_common_header); tlen-=sizeof(const struct lmp_common_header);
+ show +
52
53
54
55
56
57
58
59
60
61
while(tlen>0) { /* did we capture enough for fully decoding the object header ? */ ND_TCHECK2(*tptr, sizeof(struct lmp_object_header)); lmp_obj_header = (const struct lmp_object_header *)tptr; lmp_obj_len=EXTRACT_16BITS(lmp_obj_header->length); lmp_obj_ctype=(lmp_obj_header->ctype)&0x7f; if(lmp_obj_len % 4 || lmp_obj_len < 4)

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #3
lmp_obj_len=EXTRACT_16BITS(lmp_obj_header->length); lmp_obj_ctype=(lmp_obj_header->ctype)&0x7f; - if(lmp_obj_len % 4 || lmp_obj_len < 4) - return; - ND_PRINT((ndo, "\n\t %s Object (%u), Class-Type: %s (%u) Flags: [%snegotiable], length: %u", tok2str(lmp_obj_values, "Unknown",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
48
49
50
51
52
53
54
55
56
57
tlen)); tptr+=sizeof(const struct lmp_common_header); tlen-=sizeof(const struct lmp_common_header); while(tlen>0) { /* did we capture enough for fully decoding the object header ? */ ND_TCHECK2(*tptr, sizeof(struct lmp_object_header)); lmp_obj_header = (const struct lmp_object_header *)tptr;
+ show +
58
59
60
61
62
63
64
65
66
lmp_obj_len=EXTRACT_16BITS(lmp_obj_header->length); lmp_obj_ctype=(lmp_obj_header->ctype)&0x7f; if(lmp_obj_len % 4 || lmp_obj_len < 4) return; ND_PRINT((ndo, "\n\t %s Object (%u), Class-Type: %s (%u) Flags: [%snegotiable], length: %u", tok2str(lmp_obj_values, "Unknown",
+ show +
67
68
69
70
71
72
73
74
75
76
lmp_obj_header->class_num), lmp_obj_header->class_num, tok2str(lmp_ctype_values, "Unknown", ((lmp_obj_header->class_num)<<8)+lmp_obj_ctype), lmp_obj_ctype, (lmp_obj_header->ctype)&0x80 ? "" : "non-", lmp_obj_len)); obj_tptr=tptr+sizeof(struct lmp_object_header);
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
48
49
50
51
52
53
54
55
56
57
tlen)); tptr+=sizeof(const struct lmp_common_header); tlen-=sizeof(const struct lmp_common_header); while(tlen>0) { /* did we capture enough for fully decoding the object header ? */ ND_TCHECK2(*tptr, sizeof(struct lmp_object_header)); lmp_obj_header = (const struct lmp_object_header *)tptr;
+ show +
58
59
60
61
62
63
64
65
66
lmp_obj_len=EXTRACT_16BITS(lmp_obj_header->length); lmp_obj_ctype=(lmp_obj_header->ctype)&0x7f; if(lmp_obj_len % 4 || lmp_obj_len < 4) return; ND_PRINT((ndo, "\n\t %s Object (%u), Class-Type: %s (%u) Flags: [%snegotiable], length: %u", tok2str(lmp_obj_values, "Unknown",
+ show +
67
68
69
70
71
72
73
74
75
76
lmp_obj_header->class_num), lmp_obj_header->class_num, tok2str(lmp_ctype_values, "Unknown", ((lmp_obj_header->class_num)<<8)+lmp_obj_ctype), lmp_obj_ctype, (lmp_obj_header->ctype)&0x80 ? "" : "non-", lmp_obj_len)); obj_tptr=tptr+sizeof(struct lmp_object_header);

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #4
(lmp_obj_header->ctype)&0x80 ? "" : "non-", lmp_obj_len)); + if (lmp_obj_len < 4) { + ND_PRINT((ndo, " (too short)")); + return; + } + if ((lmp_obj_len % 4) != 0) { + ND_PRINT((ndo, " (not a multiple of 4)")); + return; + } + obj_tptr=tptr+sizeof(struct lmp_object_header); obj_tlen=lmp_obj_len-sizeof(struct lmp_object_header);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
63
64
65
66
67
68
69
70
71
72
ND_PRINT((ndo, "\n\t %s Object (%u), Class-Type: %s (%u) Flags: [%snegotiable], length: %u", tok2str(lmp_obj_values, "Unknown", lmp_obj_header->class_num), lmp_obj_header->class_num, tok2str(lmp_ctype_values, "Unknown", ((lmp_obj_header->class_num)<<8)+lmp_obj_ctype), lmp_obj_ctype,
+ show +
73
74
75
76
77
(lmp_obj_header->ctype)&0x80 ? "" : "non-", lmp_obj_len)); obj_tptr=tptr+sizeof(struct lmp_object_header); obj_tlen=lmp_obj_len-sizeof(struct lmp_object_header);
+ show +
78
79
80
81
82
83
84
85
86
87
/* did we capture enough for fully decoding the object ? */ ND_TCHECK2(*tptr, lmp_obj_len); hexdump=FALSE; switch(lmp_obj_header->class_num) { case LMP_OBJ_CC_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_LOC:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
63
64
65
66
67
68
69
70
71
72
ND_PRINT((ndo, "\n\t %s Object (%u), Class-Type: %s (%u) Flags: [%snegotiable], length: %u", tok2str(lmp_obj_values, "Unknown", lmp_obj_header->class_num), lmp_obj_header->class_num, tok2str(lmp_ctype_values, "Unknown", ((lmp_obj_header->class_num)<<8)+lmp_obj_ctype), lmp_obj_ctype,
+ show +
73
74
75
76
77
(lmp_obj_header->ctype)&0x80 ? "" : "non-", lmp_obj_len)); obj_tptr=tptr+sizeof(struct lmp_object_header); obj_tlen=lmp_obj_len-sizeof(struct lmp_object_header);
+ show +
78
79
80
81
82
83
84
85
86
87
/* did we capture enough for fully decoding the object ? */ ND_TCHECK2(*tptr, lmp_obj_len); hexdump=FALSE; switch(lmp_obj_header->class_num) { case LMP_OBJ_CC_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_LOC:

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #5
switch(lmp_obj_ctype) { case LMP_CTYPE_LOC: case LMP_CTYPE_RMT: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Control Channel ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
76
77
78
79
80
81
82
83
84
85
obj_tptr=tptr+sizeof(struct lmp_object_header); obj_tlen=lmp_obj_len-sizeof(struct lmp_object_header); /* did we capture enough for fully decoding the object ? */ ND_TCHECK2(*tptr, lmp_obj_len); hexdump=FALSE; switch(lmp_obj_header->class_num) { case LMP_OBJ_CC_ID:
+ show +
86
87
88
89
90
91
switch(lmp_obj_ctype) { case LMP_CTYPE_LOC: case LMP_CTYPE_RMT: ND_PRINT((ndo, "\n\t Control Channel ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
+ show +
92
93
94
95
96
97
98
99
100
101
break; default: hexdump=TRUE; } break; case LMP_OBJ_LINK_ID: case LMP_OBJ_INTERFACE_ID: switch(lmp_obj_ctype) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
76
77
78
79
80
81
82
83
84
85
obj_tptr=tptr+sizeof(struct lmp_object_header); obj_tlen=lmp_obj_len-sizeof(struct lmp_object_header); /* did we capture enough for fully decoding the object ? */ ND_TCHECK2(*tptr, lmp_obj_len); hexdump=FALSE; switch(lmp_obj_header->class_num) { case LMP_OBJ_CC_ID:
+ show +
86
87
88
89
90
91
switch(lmp_obj_ctype) { case LMP_CTYPE_LOC: case LMP_CTYPE_RMT: ND_PRINT((ndo, "\n\t Control Channel ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
+ show +
92
93
94
95
96
97
98
99
100
101
break; default: hexdump=TRUE; } break; case LMP_OBJ_LINK_ID: case LMP_OBJ_INTERFACE_ID: switch(lmp_obj_ctype) {

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #6
switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4_LOC: case LMP_CTYPE_IPV4_RMT: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t IPv4 Link ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_IPV6_LOC: case LMP_CTYPE_IPV6_RMT: + if (obj_tlen != 16) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t IPv6 Link ID: %s (0x%08x)", ip6addr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_UNMD_LOC: case LMP_CTYPE_UNMD_RMT: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Link ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
91
92
93
94
95
96
97
98
99
100
EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break; case LMP_OBJ_LINK_ID: case LMP_OBJ_INTERFACE_ID:
+ show +
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4_LOC: case LMP_CTYPE_IPV4_RMT: ND_PRINT((ndo, "\n\t IPv4 Link ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_IPV6_LOC: case LMP_CTYPE_IPV6_RMT: ND_PRINT((ndo, "\n\t IPv6 Link ID: %s (0x%08x)", ip6addr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_UNMD_LOC: case LMP_CTYPE_UNMD_RMT: ND_PRINT((ndo, "\n\t Link ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
+ show +
119
120
121
122
123
124
125
126
127
128
break; default: hexdump=TRUE; } break; case LMP_OBJ_MESSAGE_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Message ID: %u (0x%08x)",
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
91
92
93
94
95
96
97
98
99
100
EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break; case LMP_OBJ_LINK_ID: case LMP_OBJ_INTERFACE_ID:
+ show +
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4_LOC: case LMP_CTYPE_IPV4_RMT: ND_PRINT((ndo, "\n\t IPv4 Link ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_IPV6_LOC: case LMP_CTYPE_IPV6_RMT: ND_PRINT((ndo, "\n\t IPv6 Link ID: %s (0x%08x)", ip6addr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_UNMD_LOC: case LMP_CTYPE_UNMD_RMT: ND_PRINT((ndo, "\n\t Link ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
+ show +
119
120
121
122
123
124
125
126
127
128
break; default: hexdump=TRUE; } break; case LMP_OBJ_MESSAGE_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Message ID: %u (0x%08x)",

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #7
case LMP_OBJ_MESSAGE_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_1: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Message ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_2: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Message ID Ack: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
115
116
117
118
119
120
121
122
123
124
case LMP_CTYPE_UNMD_RMT: ND_PRINT((ndo, "\n\t Link ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break;
+ show +
125
126
127
128
129
130
131
132
133
134
135
case LMP_OBJ_MESSAGE_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Message ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_2: ND_PRINT((ndo, "\n\t Message ID Ack: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
+ show +
136
137
138
139
140
141
142
143
144
145
break; default: hexdump=TRUE; } break; case LMP_OBJ_NODE_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_LOC: case LMP_CTYPE_RMT:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
115
116
117
118
119
120
121
122
123
124
case LMP_CTYPE_UNMD_RMT: ND_PRINT((ndo, "\n\t Link ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break;
+ show +
125
126
127
128
129
130
131
132
133
134
135
case LMP_OBJ_MESSAGE_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Message ID: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr))); break; case LMP_CTYPE_2: ND_PRINT((ndo, "\n\t Message ID Ack: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr)));
+ show +
136
137
138
139
140
141
142
143
144
145
break; default: hexdump=TRUE; } break; case LMP_OBJ_NODE_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_LOC: case LMP_CTYPE_RMT:

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #8
switch(lmp_obj_ctype) { case LMP_CTYPE_LOC: case LMP_CTYPE_RMT: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Node ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
133
134
135
136
137
138
139
140
141
142
ND_PRINT((ndo, "\n\t Message ID Ack: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break; case LMP_OBJ_NODE_ID:
+ show +
143
144
145
146
147
148
switch(lmp_obj_ctype) { case LMP_CTYPE_LOC: case LMP_CTYPE_RMT: ND_PRINT((ndo, "\n\t Node ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr)));
+ show +
149
150
151
152
153
154
155
156
157
158
break; default: hexdump=TRUE; } break; case LMP_OBJ_CONFIG: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO_CONFIG:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
133
134
135
136
137
138
139
140
141
142
ND_PRINT((ndo, "\n\t Message ID Ack: %u (0x%08x)", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break; case LMP_OBJ_NODE_ID:
+ show +
143
144
145
146
147
148
switch(lmp_obj_ctype) { case LMP_CTYPE_LOC: case LMP_CTYPE_RMT: ND_PRINT((ndo, "\n\t Node ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr)));
+ show +
149
150
151
152
153
154
155
156
157
158
break; default: hexdump=TRUE; } break; case LMP_OBJ_CONFIG: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO_CONFIG:

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #9
case LMP_OBJ_CONFIG: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO_CONFIG: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Hello Interval: %u\n\t Hello Dead Interval: %u", EXTRACT_16BITS(obj_tptr), EXTRACT_16BITS(obj_tptr+2)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
146
147
148
149
150
151
152
153
154
155
ND_PRINT((ndo, "\n\t Node ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break;
+ show +
156
157
158
159
160
161
case LMP_OBJ_CONFIG: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO_CONFIG: ND_PRINT((ndo, "\n\t Hello Interval: %u\n\t Hello Dead Interval: %u", EXTRACT_16BITS(obj_tptr), EXTRACT_16BITS(obj_tptr+2)));
+ show +
162
163
164
165
166
167
168
169
170
171
break; default: hexdump=TRUE; } break; case LMP_OBJ_HELLO: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
146
147
148
149
150
151
152
153
154
155
ND_PRINT((ndo, "\n\t Node ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr), EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break;
+ show +
156
157
158
159
160
161
case LMP_OBJ_CONFIG: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO_CONFIG: ND_PRINT((ndo, "\n\t Hello Interval: %u\n\t Hello Dead Interval: %u", EXTRACT_16BITS(obj_tptr), EXTRACT_16BITS(obj_tptr+2)));
+ show +
162
163
164
165
166
167
168
169
170
171
break; default: hexdump=TRUE; } break; case LMP_OBJ_HELLO: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO:

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #10
case LMP_OBJ_HELLO: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO: + if (obj_tlen != 8) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Tx Seq: %u, Rx Seq: %u", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr+4)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
159
160
161
162
163
164
165
166
167
168
ND_PRINT((ndo, "\n\t Hello Interval: %u\n\t Hello Dead Interval: %u", EXTRACT_16BITS(obj_tptr), EXTRACT_16BITS(obj_tptr+2))); break; default: hexdump=TRUE; } break;
+ show +
169
170
171
172
173
174
case LMP_OBJ_HELLO: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO: ND_PRINT((ndo, "\n\t Tx Seq: %u, Rx Seq: %u", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr+4)));
+ show +
175
176
177
178
179
180
181
182
183
184
break; default: hexdump=TRUE; } break; case LMP_OBJ_TE_LINK: ND_PRINT((ndo, "\n\t Flags: [%s]", bittok2str(lmp_obj_te_link_flag_values,
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
159
160
161
162
163
164
165
166
167
168
ND_PRINT((ndo, "\n\t Hello Interval: %u\n\t Hello Dead Interval: %u", EXTRACT_16BITS(obj_tptr), EXTRACT_16BITS(obj_tptr+2))); break; default: hexdump=TRUE; } break;
+ show +
169
170
171
172
173
174
case LMP_OBJ_HELLO: switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO: ND_PRINT((ndo, "\n\t Tx Seq: %u, Rx Seq: %u", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr+4)));
+ show +
175
176
177
178
179
180
181
182
183
184
break; default: hexdump=TRUE; } break; case LMP_OBJ_TE_LINK: ND_PRINT((ndo, "\n\t Flags: [%s]", bittok2str(lmp_obj_te_link_flag_values,

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #11
break; case LMP_OBJ_TE_LINK: + switch(lmp_obj_ctype) { + case LMP_CTYPE_IPV4: + if (obj_tlen != 12) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Flags: [%s]", - bittok2str(lmp_obj_te_link_flag_values, + bittok2str(lmp_obj_te_link_flag_values, "none", - EXTRACT_16BITS(obj_tptr)>>8))); + EXTRACT_8BITS(obj_tptr)))); - switch(lmp_obj_ctype) { - case LMP_CTYPE_IPV4: ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)" "\n\t Remote Link-ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4),
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
170
171
172
173
174
175
176
177
178
179
switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO: ND_PRINT((ndo, "\n\t Tx Seq: %u, Rx Seq: %u", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr+4))); break; default: hexdump=TRUE; }
+ show +
180
181
182
183
184
185
186
187
188
189
190
191
192
break; case LMP_OBJ_TE_LINK: ND_PRINT((ndo, "\n\t Flags: [%s]", bittok2str(lmp_obj_te_link_flag_values, "none", EXTRACT_16BITS(obj_tptr)>>8))); switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)" "\n\t Remote Link-ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4),
+ show +
193
194
195
196
197
198
199
200
201
202
EXTRACT_32BITS(obj_tptr+4), ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); break; case LMP_CTYPE_IPV6: case LMP_CTYPE_UNMD: default: hexdump=TRUE; }
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
170
171
172
173
174
175
176
177
178
179
switch(lmp_obj_ctype) { case LMP_CTYPE_HELLO: ND_PRINT((ndo, "\n\t Tx Seq: %u, Rx Seq: %u", EXTRACT_32BITS(obj_tptr), EXTRACT_32BITS(obj_tptr+4))); break; default: hexdump=TRUE; }
+ show +
180
181
182
183
184
185
186
187
188
189
190
191
192
break; case LMP_OBJ_TE_LINK: ND_PRINT((ndo, "\n\t Flags: [%s]", bittok2str(lmp_obj_te_link_flag_values, "none", EXTRACT_16BITS(obj_tptr)>>8))); switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)" "\n\t Remote Link-ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4),
+ show +
193
194
195
196
197
198
199
200
201
202
EXTRACT_32BITS(obj_tptr+4), ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); break; case LMP_CTYPE_IPV6: case LMP_CTYPE_UNMD: default: hexdump=TRUE; }

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #12
break; case LMP_CTYPE_IPV6: + if (obj_tlen != 36) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } + ND_PRINT((ndo, "\n\t Flags: [%s]", + bittok2str(lmp_obj_te_link_flag_values, + "none", + EXTRACT_8BITS(obj_tptr)))); + + ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)" + "\n\t Remote Link-ID: %s (0x%08x)", + ip6addr_string(ndo, obj_tptr+4), + EXTRACT_32BITS(obj_tptr+4), + ip6addr_string(ndo, obj_tptr+20), + EXTRACT_32BITS(obj_tptr+20))); + break; + case LMP_CTYPE_UNMD: + if (obj_tlen != 12) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } + ND_PRINT((ndo, "\n\t Flags: [%s]", + bittok2str(lmp_obj_te_link_flag_values, + "none", + EXTRACT_8BITS(obj_tptr)))); + + ND_PRINT((ndo, "\n\t Local Link-ID: %u (0x%08x)" + "\n\t Remote Link-ID: %u (0x%08x)", + EXTRACT_32BITS(obj_tptr+4), + EXTRACT_32BITS(obj_tptr+4), + EXTRACT_32BITS(obj_tptr+8), + EXTRACT_32BITS(obj_tptr+8))); + break; + default: hexdump=TRUE; } break; case LMP_OBJ_DATA_LINK: - ND_PRINT((ndo, "\n\t Flags: [%s]", - bittok2str(lmp_obj_data_link_flag_values, - "none", - EXTRACT_16BITS(obj_tptr)>>8))); - switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: - case LMP_CTYPE_UNMD: + if (obj_tlen < 12) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } + ND_PRINT((ndo, "\n\t Flags: [%s]", + bittok2str(lmp_obj_data_link_flag_values, + "none", + EXTRACT_8BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)" "\n\t Remote Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4),
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
186
187
188
189
190
191
192
193
194
195
EXTRACT_16BITS(obj_tptr)>>8))); switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)" "\n\t Remote Link-ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4), EXTRACT_32BITS(obj_tptr+4), ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8)));
+ show +
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
break; case LMP_CTYPE_IPV6: case LMP_CTYPE_UNMD: default: hexdump=TRUE; } break; case LMP_OBJ_DATA_LINK: ND_PRINT((ndo, "\n\t Flags: [%s]", bittok2str(lmp_obj_data_link_flag_values, "none", EXTRACT_16BITS(obj_tptr)>>8))); switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)" "\n\t Remote Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4),
+ show +
217
218
219
220
221
222
223
224
225
226
EXTRACT_32BITS(obj_tptr+4), ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); total_subobj_len = lmp_obj_len - 16; offset = 12; while (total_subobj_len > 0 && hexdump == FALSE ) { subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8; subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF; ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
186
187
188
189
190
191
192
193
194
195
EXTRACT_16BITS(obj_tptr)>>8))); switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)" "\n\t Remote Link-ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4), EXTRACT_32BITS(obj_tptr+4), ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8)));
+ show +
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
break; case LMP_CTYPE_IPV6: case LMP_CTYPE_UNMD: default: hexdump=TRUE; } break; case LMP_OBJ_DATA_LINK: ND_PRINT((ndo, "\n\t Flags: [%s]", bittok2str(lmp_obj_data_link_flag_values, "none", EXTRACT_16BITS(obj_tptr)>>8))); switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)" "\n\t Remote Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4),
+ show +
217
218
219
220
221
222
223
224
225
226
EXTRACT_32BITS(obj_tptr+4), ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); total_subobj_len = lmp_obj_len - 16; offset = 12; while (total_subobj_len > 0 && hexdump == FALSE ) { subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8; subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF; ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #13
ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); - total_subobj_len = lmp_obj_len - 16; - offset = 12; - while (total_subobj_len > 0 && hexdump == FALSE ) { - subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8; - subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF; - ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u", - tok2str(lmp_data_link_subobj, - "Unknown", - subobj_type), - subobj_type, - subobj_len)); - switch(subobj_type) { - case INT_SWITCHING_TYPE_SUBOBJ: - ND_PRINT((ndo, "\n\t Switching Type: %s (%u)", - tok2str(gmpls_switch_cap_values, - "Unknown", - EXTRACT_16BITS(obj_tptr+offset+2)>>8), - EXTRACT_16BITS(obj_tptr+offset+2)>>8)); - ND_PRINT((ndo, "\n\t Encoding Type: %s (%u)", - tok2str(gmpls_encoding_values, - "Unknown", - EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF), - EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF)); - bw.i = EXTRACT_32BITS(obj_tptr+offset+4); - ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps", - bw.f*8/1000000)); - bw.i = EXTRACT_32BITS(obj_tptr+offset+8); - ND_PRINT((ndo, "\n\t Max Reservable Bandwidth: %.3f Mbps", - bw.f*8/1000000)); - break; - case WAVELENGTH_SUBOBJ: - ND_PRINT((ndo, "\n\t Wavelength: %u", - EXTRACT_32BITS(obj_tptr+offset+4))); - break; - default: - /* Any Unknown Subobject ==> Exit loop */ - hexdump=TRUE; - break; - } - total_subobj_len-=subobj_len; - offset+=subobj_len; - } - + if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12)) + hexdump=TRUE; break; + case LMP_CTYPE_IPV6: + if (obj_tlen < 36) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } + ND_PRINT((ndo, "\n\t Flags: [%s]", + bittok2str(lmp_obj_data_link_flag_values, + "none", + EXTRACT_8BITS(obj_tptr)))); + ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)" + "\n\t Remote Interface ID: %s (0x%08x)", + ip6addr_string(ndo, obj_tptr+4), + EXTRACT_32BITS(obj_tptr+4), + ip6addr_string(ndo, obj_tptr+20), + EXTRACT_32BITS(obj_tptr+20))); + + if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36)) + hexdump=TRUE; + break; + + case LMP_CTYPE_UNMD: + if (obj_tlen < 12) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } + ND_PRINT((ndo, "\n\t Flags: [%s]", + bittok2str(lmp_obj_data_link_flag_values, + "none", + EXTRACT_8BITS(obj_tptr)))); + ND_PRINT((ndo, "\n\t Local Interface ID: %u (0x%08x)" + "\n\t Remote Interface ID: %u (0x%08x)", + EXTRACT_32BITS(obj_tptr+4), + EXTRACT_32BITS(obj_tptr+4), + EXTRACT_32BITS(obj_tptr+8), + EXTRACT_32BITS(obj_tptr+8))); + + if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12)) + hexdump=TRUE; + break; + default: hexdump=TRUE; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
208
209
210
211
212
213
214
215
216
217
"none", EXTRACT_16BITS(obj_tptr)>>8))); switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)" "\n\t Remote Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4), EXTRACT_32BITS(obj_tptr+4),
+ show +
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); total_subobj_len = lmp_obj_len - 16; offset = 12; while (total_subobj_len > 0 && hexdump == FALSE ) { subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8; subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF; ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u", tok2str(lmp_data_link_subobj, "Unknown", subobj_type), subobj_type, subobj_len)); switch(subobj_type) { case INT_SWITCHING_TYPE_SUBOBJ: ND_PRINT((ndo, "\n\t Switching Type: %s (%u)", tok2str(gmpls_switch_cap_values, "Unknown", EXTRACT_16BITS(obj_tptr+offset+2)>>8), EXTRACT_16BITS(obj_tptr+offset+2)>>8)); ND_PRINT((ndo, "\n\t Encoding Type: %s (%u)", tok2str(gmpls_encoding_values, "Unknown", EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF), EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF)); bw.i = EXTRACT_32BITS(obj_tptr+offset+4); ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps", bw.f*8/1000000)); bw.i = EXTRACT_32BITS(obj_tptr+offset+8); ND_PRINT((ndo, "\n\t Max Reservable Bandwidth: %.3f Mbps", bw.f*8/1000000)); break; case WAVELENGTH_SUBOBJ: ND_PRINT((ndo, "\n\t Wavelength: %u", EXTRACT_32BITS(obj_tptr+offset+4))); break; default: /* Any Unknown Subobject ==> Exit loop */ hexdump=TRUE; break; } total_subobj_len-=subobj_len; offset+=subobj_len; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; }
+ show +
269
270
271
272
273
274
275
276
277
278
break; case LMP_OBJ_VERIFY_BEGIN: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Flags: %s", bittok2str(lmp_obj_begin_verify_flag_values, "none", EXTRACT_16BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t Verify Interval: %u",
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
208
209
210
211
212
213
214
215
216
217
"none", EXTRACT_16BITS(obj_tptr)>>8))); switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)" "\n\t Remote Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+4), EXTRACT_32BITS(obj_tptr+4),
+ show +
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); total_subobj_len = lmp_obj_len - 16; offset = 12; while (total_subobj_len > 0 && hexdump == FALSE ) { subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8; subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF; ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u", tok2str(lmp_data_link_subobj, "Unknown", subobj_type), subobj_type, subobj_len)); switch(subobj_type) { case INT_SWITCHING_TYPE_SUBOBJ: ND_PRINT((ndo, "\n\t Switching Type: %s (%u)", tok2str(gmpls_switch_cap_values, "Unknown", EXTRACT_16BITS(obj_tptr+offset+2)>>8), EXTRACT_16BITS(obj_tptr+offset+2)>>8)); ND_PRINT((ndo, "\n\t Encoding Type: %s (%u)", tok2str(gmpls_encoding_values, "Unknown", EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF), EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF)); bw.i = EXTRACT_32BITS(obj_tptr+offset+4); ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps", bw.f*8/1000000)); bw.i = EXTRACT_32BITS(obj_tptr+offset+8); ND_PRINT((ndo, "\n\t Max Reservable Bandwidth: %.3f Mbps", bw.f*8/1000000)); break; case WAVELENGTH_SUBOBJ: ND_PRINT((ndo, "\n\t Wavelength: %u", EXTRACT_32BITS(obj_tptr+offset+4))); break; default: /* Any Unknown Subobject ==> Exit loop */ hexdump=TRUE; break; } total_subobj_len-=subobj_len; offset+=subobj_len; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; }
+ show +
269
270
271
272
273
274
275
276
277
278
break; case LMP_OBJ_VERIFY_BEGIN: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Flags: %s", bittok2str(lmp_obj_begin_verify_flag_values, "none", EXTRACT_16BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t Verify Interval: %u",

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #14
case LMP_OBJ_VERIFY_BEGIN: switch(lmp_obj_ctype) { case LMP_CTYPE_1: + if (obj_tlen != 20) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Flags: %s", bittok2str(lmp_obj_begin_verify_flag_values, "none",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
261
262
263
264
265
266
267
268
269
270
offset+=subobj_len; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; } break;
+ show +
271
272
273
274
275
276
case LMP_OBJ_VERIFY_BEGIN: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Flags: %s", bittok2str(lmp_obj_begin_verify_flag_values, "none",
+ show +
277
278
279
280
281
282
283
284
285
286
EXTRACT_16BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t Verify Interval: %u", EXTRACT_16BITS(obj_tptr+2))); ND_PRINT((ndo, "\n\t Data links: %u", EXTRACT_32BITS(obj_tptr+4))); ND_PRINT((ndo, "\n\t Encoding type: %s", tok2str(gmpls_encoding_values, "Unknown", *(obj_tptr+8)))); ND_PRINT((ndo, "\n\t Verify Transport Mechanism: %u (0x%x)%s", EXTRACT_16BITS(obj_tptr+10), EXTRACT_16BITS(obj_tptr+10),
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
261
262
263
264
265
266
267
268
269
270
offset+=subobj_len; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; } break;
+ show +
271
272
273
274
275
276
case LMP_OBJ_VERIFY_BEGIN: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Flags: %s", bittok2str(lmp_obj_begin_verify_flag_values, "none",
+ show +
277
278
279
280
281
282
283
284
285
286
EXTRACT_16BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t Verify Interval: %u", EXTRACT_16BITS(obj_tptr+2))); ND_PRINT((ndo, "\n\t Data links: %u", EXTRACT_32BITS(obj_tptr+4))); ND_PRINT((ndo, "\n\t Encoding type: %s", tok2str(gmpls_encoding_values, "Unknown", *(obj_tptr+8)))); ND_PRINT((ndo, "\n\t Verify Transport Mechanism: %u (0x%x)%s", EXTRACT_16BITS(obj_tptr+10), EXTRACT_16BITS(obj_tptr+10),

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #15
case LMP_OBJ_VERIFY_BEGIN_ACK: switch(lmp_obj_ctype) { case LMP_CTYPE_1: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Verify Dead Interval: %u" "\n\t Verify Transport Response: %u", EXTRACT_16BITS(obj_tptr),
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
289
290
291
292
293
294
295
296
297
298
ND_PRINT((ndo, "\n\t Transmission Rate: %.3f Mbps",bw.f*8/1000000)); ND_PRINT((ndo, "\n\t Wavelength: %u", EXTRACT_32BITS(obj_tptr+16))); break; default: hexdump=TRUE; } break;
+ show +
299
300
301
302
303
304
case LMP_OBJ_VERIFY_BEGIN_ACK: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Verify Dead Interval: %u" "\n\t Verify Transport Response: %u", EXTRACT_16BITS(obj_tptr),
+ show +
305
306
307
308
309
310
311
312
313
314
EXTRACT_16BITS(obj_tptr+2))); break; default: hexdump=TRUE; } break; case LMP_OBJ_VERIFY_ID: switch(lmp_obj_ctype) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
289
290
291
292
293
294
295
296
297
298
ND_PRINT((ndo, "\n\t Transmission Rate: %.3f Mbps",bw.f*8/1000000)); ND_PRINT((ndo, "\n\t Wavelength: %u", EXTRACT_32BITS(obj_tptr+16))); break; default: hexdump=TRUE; } break;
+ show +
299
300
301
302
303
304
case LMP_OBJ_VERIFY_BEGIN_ACK: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Verify Dead Interval: %u" "\n\t Verify Transport Response: %u", EXTRACT_16BITS(obj_tptr),
+ show +
305
306
307
308
309
310
311
312
313
314
EXTRACT_16BITS(obj_tptr+2))); break; default: hexdump=TRUE; } break; case LMP_OBJ_VERIFY_ID: switch(lmp_obj_ctype) {

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #16
case LMP_OBJ_VERIFY_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_1: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Verify ID: %u", EXTRACT_32BITS(obj_tptr))); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
303
304
305
306
307
308
309
310
311
312
"\n\t Verify Transport Response: %u", EXTRACT_16BITS(obj_tptr), EXTRACT_16BITS(obj_tptr+2))); break; default: hexdump=TRUE; } break;
+ show +
313
314
315
316
317
318
case LMP_OBJ_VERIFY_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Verify ID: %u", EXTRACT_32BITS(obj_tptr))); break;
+ show +
319
320
321
322
323
324
325
326
327
328
default: hexdump=TRUE; } break; case LMP_OBJ_CHANNEL_STATUS: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
303
304
305
306
307
308
309
310
311
312
"\n\t Verify Transport Response: %u", EXTRACT_16BITS(obj_tptr), EXTRACT_16BITS(obj_tptr+2))); break; default: hexdump=TRUE; } break;
+ show +
313
314
315
316
317
318
case LMP_OBJ_VERIFY_ID: switch(lmp_obj_ctype) { case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Verify ID: %u", EXTRACT_32BITS(obj_tptr))); break;
+ show +
319
320
321
322
323
324
325
326
327
328
default: hexdump=TRUE; } break; case LMP_OBJ_CHANNEL_STATUS: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD:

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #17
case LMP_OBJ_CHANNEL_STATUS: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: - case LMP_CTYPE_UNMD: offset = 0; /* Decode pairs: <Interface_ID (4 bytes), Channel_status (4 bytes)> */ - while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) { + while (offset+8 <= obj_tlen) { ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+offset), EXTRACT_32BITS(obj_tptr+offset))); - ND_PRINT((ndo, "\n\t\t Active: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>31) ? + ND_PRINT((ndo, "\n\t\t Active: %s (%u)", + (EXTRACT_32BITS(obj_tptr+offset+4)>>31) ? "Allocated" : "Non-allocated", (EXTRACT_32BITS(obj_tptr+offset+4)>>31))); - ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ? + ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", + (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ? "Transmit" : "Receive", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
315
316
317
318
319
320
321
322
323
324
case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Verify ID: %u", EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break;
+ show +
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
case LMP_OBJ_CHANNEL_STATUS: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: offset = 0; /* Decode pairs: <Interface_ID (4 bytes), Channel_status (4 bytes)> */ while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) { ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+offset), EXTRACT_32BITS(obj_tptr+offset))); ND_PRINT((ndo, "\n\t\t Active: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>31) ? "Allocated" : "Non-allocated", (EXTRACT_32BITS(obj_tptr+offset+4)>>31))); ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ? "Transmit" : "Receive", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1));
+ show +
343
344
345
346
347
348
349
350
351
352
ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)", tok2str(lmp_obj_channel_status_values, "Unknown", EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF), EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF)); offset+=8; } break; case LMP_CTYPE_IPV6:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
315
316
317
318
319
320
321
322
323
324
case LMP_CTYPE_1: ND_PRINT((ndo, "\n\t Verify ID: %u", EXTRACT_32BITS(obj_tptr))); break; default: hexdump=TRUE; } break;
+ show +
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
case LMP_OBJ_CHANNEL_STATUS: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: offset = 0; /* Decode pairs: <Interface_ID (4 bytes), Channel_status (4 bytes)> */ while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) { ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+offset), EXTRACT_32BITS(obj_tptr+offset))); ND_PRINT((ndo, "\n\t\t Active: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>31) ? "Allocated" : "Non-allocated", (EXTRACT_32BITS(obj_tptr+offset+4)>>31))); ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ? "Transmit" : "Receive", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1));
+ show +
343
344
345
346
347
348
349
350
351
352
ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)", tok2str(lmp_obj_channel_status_values, "Unknown", EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF), EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF)); offset+=8; } break; case LMP_CTYPE_IPV6:

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #18
offset+=8; } break; + case LMP_CTYPE_IPV6: + offset = 0; + /* Decode pairs: <Interface_ID (16 bytes), Channel_status (4 bytes)> */ + while (offset+20 <= obj_tlen) { + ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", + ip6addr_string(ndo, obj_tptr+offset), + EXTRACT_32BITS(obj_tptr+offset))); + + ND_PRINT((ndo, "\n\t\t Active: %s (%u)", + (EXTRACT_32BITS(obj_tptr+offset+16)>>31) ? + "Allocated" : "Non-allocated", + (EXTRACT_32BITS(obj_tptr+offset+16)>>31))); + + ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", + (EXTRACT_32BITS(obj_tptr+offset+16)>>30)&0x1 ? + "Transmit" : "Receive", + (EXTRACT_32BITS(obj_tptr+offset+16)>>30)&0x1)); + + ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)", + tok2str(lmp_obj_channel_status_values, + "Unknown", + EXTRACT_32BITS(obj_tptr+offset+16)&0x3FFFFFF), + EXTRACT_32BITS(obj_tptr+offset+16)&0x3FFFFFF)); + offset+=20; + } + break; + + case LMP_CTYPE_UNMD: + offset = 0; + /* Decode pairs: <Interface_ID (4 bytes), Channel_status (4 bytes)> */ + while (offset+8 <= obj_tlen) { + ND_PRINT((ndo, "\n\t Interface ID: %u (0x%08x)", + EXTRACT_32BITS(obj_tptr+offset), + EXTRACT_32BITS(obj_tptr+offset))); + + ND_PRINT((ndo, "\n\t\t Active: %s (%u)", + (EXTRACT_32BITS(obj_tptr+offset+4)>>31) ? + "Allocated" : "Non-allocated", + (EXTRACT_32BITS(obj_tptr+offset+4)>>31))); + + ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", + (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ? + "Transmit" : "Receive", + (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1)); + + ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)", + tok2str(lmp_obj_channel_status_values, + "Unknown", + EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF), + EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF)); + offset+=8; + } + break; + default: hexdump=TRUE; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
339
340
341
342
343
344
345
346
347
348
ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ? "Transmit" : "Receive", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1)); ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)", tok2str(lmp_obj_channel_status_values, "Unknown", EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF), EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF));
+ show +
349
350
351
352
353
354
355
offset+=8; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; }
+ show +
356
357
358
359
360
361
362
363
364
365
break; case LMP_OBJ_CHANNEL_STATUS_REQ: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: offset = 0; while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) { ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+offset),
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
339
340
341
342
343
344
345
346
347
348
ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ? "Transmit" : "Receive", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1)); ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)", tok2str(lmp_obj_channel_status_values, "Unknown", EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF), EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF));
+ show +
349
350
351
352
353
354
355
offset+=8; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; }
+ show +
356
357
358
359
360
361
362
363
364
365
break; case LMP_OBJ_CHANNEL_STATUS_REQ: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: offset = 0; while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) { ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+offset),

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #19
case LMP_OBJ_CHANNEL_STATUS_REQ: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: - case LMP_CTYPE_UNMD: offset = 0; - while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) { + while (offset+4 <= obj_tlen) { ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+offset), EXTRACT_32BITS(obj_tptr+offset))); offset+=4; } break; + case LMP_CTYPE_IPV6: + offset = 0; + while (offset+16 <= obj_tlen) { + ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", + ip6addr_string(ndo, obj_tptr+offset), + EXTRACT_32BITS(obj_tptr+offset))); + offset+=16; + } + break; + + case LMP_CTYPE_UNMD: + offset = 0; + while (offset+4 <= obj_tlen) { + ND_PRINT((ndo, "\n\t Interface ID: %u (0x%08x)", + EXTRACT_32BITS(obj_tptr+offset), + EXTRACT_32BITS(obj_tptr+offset))); + offset+=4; + } + break; + default: hexdump=TRUE; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
348
349
350
351
352
353
354
355
356
357
EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF)); offset+=8; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; } break;
+ show +
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
case LMP_OBJ_CHANNEL_STATUS_REQ: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: offset = 0; while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) { ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+offset), EXTRACT_32BITS(obj_tptr+offset))); offset+=4; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; }
+ show +
374
375
376
377
378
379
380
381
382
383
break; case LMP_OBJ_ERROR_CODE: switch(lmp_obj_ctype) { case LMP_CTYPE_BEGIN_VERIFY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_begin_verify_error_values, "none", EXTRACT_32BITS(obj_tptr)))); break;
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
348
349
350
351
352
353
354
355
356
357
EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF)); offset+=8; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; } break;
+ show +
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
case LMP_OBJ_CHANNEL_STATUS_REQ: switch(lmp_obj_ctype) { case LMP_CTYPE_IPV4: case LMP_CTYPE_UNMD: offset = 0; while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) { ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+offset), EXTRACT_32BITS(obj_tptr+offset))); offset+=4; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; }
+ show +
374
375
376
377
378
379
380
381
382
383
break; case LMP_OBJ_ERROR_CODE: switch(lmp_obj_ctype) { case LMP_CTYPE_BEGIN_VERIFY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_begin_verify_error_values, "none", EXTRACT_32BITS(obj_tptr)))); break;

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #20
case LMP_OBJ_ERROR_CODE: switch(lmp_obj_ctype) { case LMP_CTYPE_BEGIN_VERIFY_ERROR: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_begin_verify_error_values, "none",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
366
367
368
369
370
371
372
373
374
375
EXTRACT_32BITS(obj_tptr+offset))); offset+=4; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; } break;
+ show +
376
377
378
379
380
381
case LMP_OBJ_ERROR_CODE: switch(lmp_obj_ctype) { case LMP_CTYPE_BEGIN_VERIFY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_begin_verify_error_values, "none",
+ show +
382
383
384
385
386
387
388
389
390
391
EXTRACT_32BITS(obj_tptr)))); break; case LMP_CTYPE_LINK_SUMMARY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_link_summary_error_values, "none", EXTRACT_32BITS(obj_tptr)))); break; default:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
366
367
368
369
370
371
372
373
374
375
EXTRACT_32BITS(obj_tptr+offset))); offset+=4; } break; case LMP_CTYPE_IPV6: default: hexdump=TRUE; } break;
+ show +
376
377
378
379
380
381
case LMP_OBJ_ERROR_CODE: switch(lmp_obj_ctype) { case LMP_CTYPE_BEGIN_VERIFY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_begin_verify_error_values, "none",
+ show +
382
383
384
385
386
387
388
389
390
391
EXTRACT_32BITS(obj_tptr)))); break; case LMP_CTYPE_LINK_SUMMARY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_link_summary_error_values, "none", EXTRACT_32BITS(obj_tptr)))); break; default:

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #21
break; case LMP_CTYPE_LINK_SUMMARY_ERROR: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_link_summary_error_values, "none",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
373
374
375
376
377
378
379
380
381
382
} break; case LMP_OBJ_ERROR_CODE: switch(lmp_obj_ctype) { case LMP_CTYPE_BEGIN_VERIFY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_begin_verify_error_values, "none", EXTRACT_32BITS(obj_tptr))));
+ show +
383
384
385
386
387
388
break; case LMP_CTYPE_LINK_SUMMARY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_link_summary_error_values, "none",
+ show +
389
390
391
392
393
394
395
396
397
398
EXTRACT_32BITS(obj_tptr)))); break; default: hexdump=TRUE; } break; case LMP_OBJ_SERVICE_CONFIG: switch (lmp_obj_ctype) { case LMP_CTYPE_SERVICE_CONFIG_SP:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
373
374
375
376
377
378
379
380
381
382
} break; case LMP_OBJ_ERROR_CODE: switch(lmp_obj_ctype) { case LMP_CTYPE_BEGIN_VERIFY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_begin_verify_error_values, "none", EXTRACT_32BITS(obj_tptr))));
+ show +
383
384
385
386
387
388
break; case LMP_CTYPE_LINK_SUMMARY_ERROR: ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_link_summary_error_values, "none",
+ show +
389
390
391
392
393
394
395
396
397
398
EXTRACT_32BITS(obj_tptr)))); break; default: hexdump=TRUE; } break; case LMP_OBJ_SERVICE_CONFIG: switch (lmp_obj_ctype) { case LMP_CTYPE_SERVICE_CONFIG_SP:

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #22
case LMP_OBJ_SERVICE_CONFIG: switch (lmp_obj_ctype) { case LMP_CTYPE_SERVICE_CONFIG_SP: - + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Flags: %s", bittok2str(lmp_obj_service_config_sp_flag_values, "none", - EXTRACT_16BITS(obj_tptr)>>8))); + EXTRACT_8BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t UNI Version: %u", - EXTRACT_16BITS(obj_tptr) & 0x00FF)); + EXTRACT_8BITS(obj_tptr+1))); break; case LMP_CTYPE_SERVICE_CONFIG_CPSA: + if (obj_tlen != 16) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } - link_type = EXTRACT_16BITS(obj_tptr)>>8; + link_type = EXTRACT_8BITS(obj_tptr); ND_PRINT((ndo, "\n\t Link Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_link_type_values, "Unknown", link_type), link_type)); - if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SDH) { + switch (link_type) { + case LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SDH: ND_PRINT((ndo, "\n\t Signal Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_signal_type_sdh_values, "Unknown", - EXTRACT_16BITS(obj_tptr) & 0x00FF), - EXTRACT_16BITS(obj_tptr) & 0x00FF)); - } + EXTRACT_8BITS(obj_tptr+1)), + EXTRACT_8BITS(obj_tptr+1))); + break; - if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SONET) { + case LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SONET: ND_PRINT((ndo, "\n\t Signal Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_signal_type_sonet_values, "Unknown", - EXTRACT_16BITS(obj_tptr) & 0x00FF), - EXTRACT_16BITS(obj_tptr) & 0x00FF)); + EXTRACT_8BITS(obj_tptr+1)), + EXTRACT_8BITS(obj_tptr+1))); + break; } ND_PRINT((ndo, "\n\t Transparency: %s", bittok2str(lmp_obj_service_config_cpsa_tp_flag_values, "none", - EXTRACT_16BITS(obj_tptr+2)>>8))); + EXTRACT_8BITS(obj_tptr+2)))); ND_PRINT((ndo, "\n\t Contiguous Concatenation Types: %s", bittok2str(lmp_obj_service_config_cpsa_cct_flag_values, "none", - EXTRACT_16BITS(obj_tptr+2)>>8 & 0x00FF))); + EXTRACT_8BITS(obj_tptr+3)))); ND_PRINT((ndo, "\n\t Minimum NCC: %u", EXTRACT_16BITS(obj_tptr+4)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
386
387
388
389
390
391
392
393
394
395
ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_link_summary_error_values, "none", EXTRACT_32BITS(obj_tptr)))); break; default: hexdump=TRUE; } break;
+ show +
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
case LMP_OBJ_SERVICE_CONFIG: switch (lmp_obj_ctype) { case LMP_CTYPE_SERVICE_CONFIG_SP: ND_PRINT((ndo, "\n\t Flags: %s", bittok2str(lmp_obj_service_config_sp_flag_values, "none", EXTRACT_16BITS(obj_tptr)>>8))); ND_PRINT((ndo, "\n\t UNI Version: %u", EXTRACT_16BITS(obj_tptr) & 0x00FF)); break; case LMP_CTYPE_SERVICE_CONFIG_CPSA: link_type = EXTRACT_16BITS(obj_tptr)>>8; ND_PRINT((ndo, "\n\t Link Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_link_type_values, "Unknown", link_type), link_type)); if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SDH) { ND_PRINT((ndo, "\n\t Signal Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_signal_type_sdh_values, "Unknown", EXTRACT_16BITS(obj_tptr) & 0x00FF), EXTRACT_16BITS(obj_tptr) & 0x00FF)); } if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SONET) { ND_PRINT((ndo, "\n\t Signal Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_signal_type_sonet_values, "Unknown", EXTRACT_16BITS(obj_tptr) & 0x00FF), EXTRACT_16BITS(obj_tptr) & 0x00FF)); } ND_PRINT((ndo, "\n\t Transparency: %s", bittok2str(lmp_obj_service_config_cpsa_tp_flag_values, "none", EXTRACT_16BITS(obj_tptr+2)>>8))); ND_PRINT((ndo, "\n\t Contiguous Concatenation Types: %s", bittok2str(lmp_obj_service_config_cpsa_cct_flag_values, "none", EXTRACT_16BITS(obj_tptr+2)>>8 & 0x00FF))); ND_PRINT((ndo, "\n\t Minimum NCC: %u", EXTRACT_16BITS(obj_tptr+4)));
+ show +
447
448
449
450
451
452
453
454
455
456
ND_PRINT((ndo, "\n\t Maximum NCC: %u", EXTRACT_16BITS(obj_tptr+6))); ND_PRINT((ndo, "\n\t Minimum NVC:%u", EXTRACT_16BITS(obj_tptr+8))); ND_PRINT((ndo, "\n\t Maximum NVC:%u", EXTRACT_16BITS(obj_tptr+10)));
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
386
387
388
389
390
391
392
393
394
395
ND_PRINT((ndo, "\n\t Error Code: %s", bittok2str(lmp_obj_link_summary_error_values, "none", EXTRACT_32BITS(obj_tptr)))); break; default: hexdump=TRUE; } break;
+ show +
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
case LMP_OBJ_SERVICE_CONFIG: switch (lmp_obj_ctype) { case LMP_CTYPE_SERVICE_CONFIG_SP: ND_PRINT((ndo, "\n\t Flags: %s", bittok2str(lmp_obj_service_config_sp_flag_values, "none", EXTRACT_16BITS(obj_tptr)>>8))); ND_PRINT((ndo, "\n\t UNI Version: %u", EXTRACT_16BITS(obj_tptr) & 0x00FF)); break; case LMP_CTYPE_SERVICE_CONFIG_CPSA: link_type = EXTRACT_16BITS(obj_tptr)>>8; ND_PRINT((ndo, "\n\t Link Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_link_type_values, "Unknown", link_type), link_type)); if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SDH) { ND_PRINT((ndo, "\n\t Signal Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_signal_type_sdh_values, "Unknown", EXTRACT_16BITS(obj_tptr) & 0x00FF), EXTRACT_16BITS(obj_tptr) & 0x00FF)); } if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SONET) { ND_PRINT((ndo, "\n\t Signal Type: %s (%u)", tok2str(lmp_sd_service_config_cpsa_signal_type_sonet_values, "Unknown", EXTRACT_16BITS(obj_tptr) & 0x00FF), EXTRACT_16BITS(obj_tptr) & 0x00FF)); } ND_PRINT((ndo, "\n\t Transparency: %s", bittok2str(lmp_obj_service_config_cpsa_tp_flag_values, "none", EXTRACT_16BITS(obj_tptr+2)>>8))); ND_PRINT((ndo, "\n\t Contiguous Concatenation Types: %s", bittok2str(lmp_obj_service_config_cpsa_cct_flag_values, "none", EXTRACT_16BITS(obj_tptr+2)>>8 & 0x00FF))); ND_PRINT((ndo, "\n\t Minimum NCC: %u", EXTRACT_16BITS(obj_tptr+4)));
+ show +
447
448
449
450
451
452
453
454
455
456
ND_PRINT((ndo, "\n\t Maximum NCC: %u", EXTRACT_16BITS(obj_tptr+6))); ND_PRINT((ndo, "\n\t Minimum NVC:%u", EXTRACT_16BITS(obj_tptr+8))); ND_PRINT((ndo, "\n\t Maximum NVC:%u", EXTRACT_16BITS(obj_tptr+10)));

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #23
break; case LMP_CTYPE_SERVICE_CONFIG_TRANSPARENCY_TCM: + if (obj_tlen != 8) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Transparency Flags: %s", bittok2str(
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
451
452
453
454
455
456
457
458
459
460
ND_PRINT((ndo, "\n\t Minimum NVC:%u", EXTRACT_16BITS(obj_tptr+8))); ND_PRINT((ndo, "\n\t Maximum NVC:%u", EXTRACT_16BITS(obj_tptr+10))); ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+12), EXTRACT_32BITS(obj_tptr+12)));
+ show +
461
462
463
464
465
466
break; case LMP_CTYPE_SERVICE_CONFIG_TRANSPARENCY_TCM: ND_PRINT((ndo, "\n\t Transparency Flags: %s", bittok2str(
+ show +
467
468
469
470
471
472
473
474
475
476
lmp_obj_service_config_nsa_transparency_flag_values, "none", EXTRACT_32BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t TCM Monitoring Flags: %s", bittok2str( lmp_obj_service_config_nsa_tcm_flag_values, "none", EXTRACT_16BITS(obj_tptr+6) & 0x00FF)));
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
451
452
453
454
455
456
457
458
459
460
ND_PRINT((ndo, "\n\t Minimum NVC:%u", EXTRACT_16BITS(obj_tptr+8))); ND_PRINT((ndo, "\n\t Maximum NVC:%u", EXTRACT_16BITS(obj_tptr+10))); ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)", ipaddr_string(ndo, obj_tptr+12), EXTRACT_32BITS(obj_tptr+12)));
+ show +
461
462
463
464
465
466
break; case LMP_CTYPE_SERVICE_CONFIG_TRANSPARENCY_TCM: ND_PRINT((ndo, "\n\t Transparency Flags: %s", bittok2str(
+ show +
467
468
469
470
471
472
473
474
475
476
lmp_obj_service_config_nsa_transparency_flag_values, "none", EXTRACT_32BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t TCM Monitoring Flags: %s", bittok2str( lmp_obj_service_config_nsa_tcm_flag_values, "none", EXTRACT_16BITS(obj_tptr+6) & 0x00FF)));

[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #24
bittok2str( lmp_obj_service_config_nsa_tcm_flag_values, "none", - EXTRACT_16BITS(obj_tptr+6) & 0x00FF))); + EXTRACT_8BITS(obj_tptr+7)))); break; case LMP_CTYPE_SERVICE_CONFIG_NETWORK_DIVERSITY: + if (obj_tlen != 4) { + ND_PRINT((ndo, " (not correct for object)")); + break; + } ND_PRINT((ndo, "\n\t Diversity: Flags: %s", bittok2str( lmp_obj_service_config_nsa_network_diversity_flag_values, "none", - EXTRACT_16BITS(obj_tptr+2) & 0x00FF))); + EXTRACT_8BITS(obj_tptr+3)))); break; default:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
462
463
464
465
466
467
468
469
470
471
case LMP_CTYPE_SERVICE_CONFIG_TRANSPARENCY_TCM: ND_PRINT((ndo, "\n\t Transparency Flags: %s", bittok2str( lmp_obj_service_config_nsa_transparency_flag_values, "none", EXTRACT_32BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t TCM Monitoring Flags: %s",
+ show +
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
bittok2str( lmp_obj_service_config_nsa_tcm_flag_values, "none", EXTRACT_16BITS(obj_tptr+6) & 0x00FF))); break; case LMP_CTYPE_SERVICE_CONFIG_NETWORK_DIVERSITY: ND_PRINT((ndo, "\n\t Diversity: Flags: %s", bittok2str( lmp_obj_service_config_nsa_network_diversity_flag_values, "none", EXTRACT_16BITS(obj_tptr+2) & 0x00FF))); break; default:
+ show +
489
490
491
492
493
494
495
496
497
498
hexdump = TRUE; } break; default: if (ndo->ndo_vflag <= 1) print_unknown_data(ndo,obj_tptr,"\n\t ",obj_tlen); break; }
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
462
463
464
465
466
467
468
469
470
471
case LMP_CTYPE_SERVICE_CONFIG_TRANSPARENCY_TCM: ND_PRINT((ndo, "\n\t Transparency Flags: %s", bittok2str( lmp_obj_service_config_nsa_transparency_flag_values, "none", EXTRACT_32BITS(obj_tptr)))); ND_PRINT((ndo, "\n\t TCM Monitoring Flags: %s",
+ show +
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
bittok2str( lmp_obj_service_config_nsa_tcm_flag_values, "none", EXTRACT_16BITS(obj_tptr+6) & 0x00FF))); break; case LMP_CTYPE_SERVICE_CONFIG_NETWORK_DIVERSITY: ND_PRINT((ndo, "\n\t Diversity: Flags: %s", bittok2str( lmp_obj_service_config_nsa_network_diversity_flag_values, "none", EXTRACT_16BITS(obj_tptr+2) & 0x00FF))); break; default:
+ show +
489
490
491
492
493
494
495
496
497
498
hexdump = TRUE; }; break; default: if (ndo->ndo_vflag <= 1) print_unknown_data(ndo,obj_tptr,"\n\t ",obj_tlen); break; }

[tcpdump_CVE-2017-13006_1488772580_l2tp_avp_print.diff] l2tp_avp_print_OLD.c #1
/* If it goes past the end of the remaining length of the captured data, we'll give up. */ ND_TCHECK2(*ptr, len); - /* After this point, no need to worry about truncation */ + + /* + * After this point, we don't need to check whether we go past + * the length of the captured data; however, we *do* need to + * check whether we go past the end of the AVP. + */ if (EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_FLAG_MANDATORY) { ND_PRINT((ndo, "*"));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13006_before_1mo_1441831358_l2tp_avp_print.c
17
18
19
20
21
22
23
24
25
26
/* If it is not long enough to contain the header, we'll give up. */ if (len < 6) goto trunc; /* If it goes past the end of the remaining length of the packet, we'll give up. */ if (len > (u_int)length) goto trunc;
+ show +
27
28
29
30
31
32
33
/* If it goes past the end of the remaining length of the captured data, we'll give up. */ ND_TCHECK2(*ptr, len); /* After this point, no need to worry about truncation */ if (EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_FLAG_MANDATORY) { ND_PRINT((ndo, "*"));
+ show +
34
35
36
37
38
39
40
41
42
43
} if (EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_FLAG_HIDDEN) { hidden = TRUE; ND_PRINT((ndo, "?")); } ptr++; if (EXTRACT_16BITS(ptr)) { /* Vendor Specific Attribute */ ND_PRINT((ndo, "VENDOR%04x:", EXTRACT_16BITS(ptr))); ptr++;

[tcpdump_CVE-2017-13006_1488772580_l2tp_avp_print.diff] l2tp_avp_print_OLD.c #2
} else { switch (attr_type) { case L2TP_AVP_MSGTYPE: - l2tp_msgtype_print(ndo, (const u_char *)ptr); + l2tp_msgtype_print(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_RESULT_CODE: l2tp_result_code_print(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_PROTO_VER: - l2tp_proto_ver_print(ndo, ptr); + l2tp_proto_ver_print(ndo, ptr, len-6); break; case L2TP_AVP_FRAMING_CAP: - l2tp_framing_cap_print(ndo, (const u_char *)ptr); + l2tp_framing_cap_print(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_BEARER_CAP: - l2tp_bearer_cap_print(ndo, (const u_char *)ptr); + l2tp_bearer_cap_print(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_TIE_BREAKER: + if (len-6 < 8) { + ND_PRINT((ndo, "AVP too short")); + break; + } print_octets(ndo, (const u_char *)ptr, 8); break; case L2TP_AVP_FIRM_VER: case L2TP_AVP_ASSND_TUN_ID: case L2TP_AVP_RECV_WIN_SIZE: case L2TP_AVP_ASSND_SESS_ID: + if (len-6 < 2) { + ND_PRINT((ndo, "AVP too short")); + break; + } print_16bits_val(ndo, ptr); break; case L2TP_AVP_HOST_NAME:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13006_before_1mo_1441831358_l2tp_avp_print.c
46
47
48
49
50
51
52
53
54
55
print_octets(ndo, (const u_char *)ptr, len-6); ND_PRINT((ndo, ")")); } else { /* IETF-defined Attributes */ ptr++; attr_type = EXTRACT_16BITS(ptr); ptr++; ND_PRINT((ndo, "%s", tok2str(l2tp_avp2str, "AVP-#%u", attr_type))); ND_PRINT((ndo, "(")); if (hidden) { ND_PRINT((ndo, "???"));
+ show +
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
} else { switch (attr_type) { case L2TP_AVP_MSGTYPE: l2tp_msgtype_print(ndo, (const u_char *)ptr); break; case L2TP_AVP_RESULT_CODE: l2tp_result_code_print(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_PROTO_VER: l2tp_proto_ver_print(ndo, ptr); break; case L2TP_AVP_FRAMING_CAP: l2tp_framing_cap_print(ndo, (const u_char *)ptr); break; case L2TP_AVP_BEARER_CAP: l2tp_bearer_cap_print(ndo, (const u_char *)ptr); break; case L2TP_AVP_TIE_BREAKER: print_octets(ndo, (const u_char *)ptr, 8); break; case L2TP_AVP_FIRM_VER: case L2TP_AVP_ASSND_TUN_ID: case L2TP_AVP_RECV_WIN_SIZE: case L2TP_AVP_ASSND_SESS_ID: print_16bits_val(ndo, ptr); break; case L2TP_AVP_HOST_NAME:
+ show +
83
84
85
86
87
88
89
90
91
92
case L2TP_AVP_VENDOR_NAME: case L2TP_AVP_CALLING_NUMBER: case L2TP_AVP_CALLED_NUMBER: case L2TP_AVP_SUB_ADDRESS: case L2TP_AVP_PROXY_AUTH_NAME: case L2TP_AVP_PRIVATE_GRP_ID: print_string(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_CHALLENGE: case L2TP_AVP_INI_RECV_LCP:

[tcpdump_CVE-2017-13006_1488772580_l2tp_avp_print.diff] l2tp_avp_print_OLD.c #3
l2tp_q931_cc_print(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_CHALLENGE_RESP: + if (len-6 < 16) { + ND_PRINT((ndo, "AVP too short")); + break; + } print_octets(ndo, (const u_char *)ptr, 16); break; case L2TP_AVP_CALL_SER_NUM:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13006_before_1mo_1441831358_l2tp_avp_print.c
91
92
93
94
95
96
97
98
99
100
case L2TP_AVP_CHALLENGE: case L2TP_AVP_INI_RECV_LCP: case L2TP_AVP_LAST_SENT_LCP: case L2TP_AVP_LAST_RECV_LCP: case L2TP_AVP_PROXY_AUTH_CHAL: case L2TP_AVP_PROXY_AUTH_RESP: case L2TP_AVP_RANDOM_VECTOR: print_octets(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_Q931_CC:
+ show +
101
102
103
104
105
106
l2tp_q931_cc_print(ndo, (const u_char *)ptr, len-6); break; case L2TP_AVP_CHALLENGE_RESP: print_octets(ndo, (const u_char *)ptr, 16); break; case L2TP_AVP_CALL_SER_NUM:
+ show +
107
108
109
110
111
112
113
114
115
116
case L2TP_AVP_MINIMUM_BPS: case L2TP_AVP_MAXIMUM_BPS: case L2TP_AVP_TX_CONN_SPEED: case L2TP_AVP_PHY_CHANNEL_ID: case L2TP_AVP_RX_CONN_SPEED: print_32bits_val(ndo, (const uint32_t *)ptr); break; case L2TP_AVP_BEARER_TYPE: l2tp_bearer_type_print(ndo, (const u_char *)ptr); break;

[tcpdump_CVE-2017-13007_1488774108_pktap_if_print.diff] pktap_if_print_OLD.c #1
u_int length = h->len; if_printer printer; const pktap_header_t *hdr; + struct pcap_pkthdr nhdr; if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) { ND_PRINT((ndo, "[|pktap]"));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13007_before_1mo_1471267648_pktap_if_print.c
1
2
3
4
5
6
u_int pktap_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p) { uint32_t dlt, hdrlen, rectype; u_int caplen = h->caplen;
+ show +
7
8
9
10
11
12
u_int length = h->len; if_printer printer; const pktap_header_t *hdr; if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) { ND_PRINT((ndo, "[|pktap]"));
+ show +
13
14
15
16
17
18
19
20
21
22
return (0); } hdr = (const pktap_header_t *)p; dlt = EXTRACT_LE_32BITS(&hdr->pkt_dlt); hdrlen = EXTRACT_LE_32BITS(&hdr->pkt_len); if (hdrlen < sizeof(pktap_header_t)) { /* * Claimed header length < structure length. * XXX - does this just mean some fields aren't * being supplied, or is it truly an error (i.e.,

[tcpdump_CVE-2017-13007_1488774108_pktap_if_print.diff] pktap_if_print_OLD.c #2
case PKT_REC_PACKET: if ((printer = lookup_printer(dlt)) != NULL) { - hdrlen += printer(ndo, h, p); + nhdr = *h; + nhdr.caplen = caplen; + nhdr.len = length; + hdrlen += printer(ndo, &nhdr, p); } else { if (!ndo->ndo_eflag) pktap_header_print(ndo, (const u_char *)hdr,
.\cloneFuncs\totalClone\Type-1\CVE-2017-13007_before_1mo_1471267648_pktap_if_print.c
38
39
40
41
42
43
44
45
46
47
caplen -= hdrlen; p += hdrlen; rectype = EXTRACT_LE_32BITS(&hdr->pkt_rectype); switch (rectype) { case PKT_REC_NONE: ND_PRINT((ndo, "no data")); break;
+ show +
48
49
50
51
52
53
case PKT_REC_PACKET: if ((printer = lookup_printer(dlt)) != NULL) { hdrlen += printer(ndo, h, p); } else { if (!ndo->ndo_eflag) pktap_header_print(ndo, (const u_char *)hdr,
+ show +
54
55
56
57
58
59
60
61
62
63
length + hdrlen); if (!ndo->ndo_suppress_default_print) ND_DEFAULTPRINT(p, caplen); } break; } return (hdrlen); }

[tcpdump_CVE-2017-13008_1488822169_parse_elements.diff] parse_elements_OLD.c #4
offset += 3; length -= 3; - memcpy(tim.bitmap, p + offset + 3, tim.length - 3); + memcpy(tim.bitmap, p + offset, tim.length - 3); offset += tim.length - 3; length -= tim.length - 3; /*
.\cloneFuncs\totalClone\Type-1\CVE-2017-13008_before_imd_1486409082_parse_elements.c
183
184
185
186
187
188
189
190
191
192
offset += 2; length -= 2; if (tim.length <= 3) { offset += tim.length; length -= tim.length; break; } if (tim.length - 3 > (int)sizeof tim.bitmap) return 0; memcpy(&tim.count, p + offset, 3);
+ show +
193
194
195
196
197
198
199
offset += 3; length -= 3; memcpy(tim.bitmap, p + offset + 3, tim.length - 3); offset += tim.length - 3; length -= tim.length - 3; /*
+ show +
200
201
202
203
204
205
206
207
208
209
* Present and not truncated. * * If we haven't already seen a TIM IE, * copy this one, otherwise ignore this one, * so we later report the first one we saw. */ if (!pbody->tim_present) { pbody->tim = tim; pbody->tim_present = 1; }

[tcpdump_CVE-2017-13011_1489605141_bittok2str_internal.diff] bittok2str_internal_OLD.c #1
bittok2str_internal(register const struct tok *lp, register const char *fmt, register u_int v, const char *sep) { - static char buf[256]; /* our stringbuffer */ - int buflen=0; + static char buf[1024+1]; /* our string buffer */ + char *bufp = buf; + size_t space_left = sizeof(buf), string_size; register u_int rotbit; /* this is the bit we rotate through all bitpositions */ register u_int tokval; const char * sepstr = "";
.\cloneFuncs\totalClone\Type-1\CVE-2017-13011_before_1mo_1484695535_bittok2str_internal.c
1
static char *
+ show +
2
3
4
5
6
7
8
9
bittok2str_internal(register const struct tok *lp, register const char *fmt, register u_int v, const char *sep) { static char buf[256]; /* our stringbuffer */ int buflen=0; register u_int rotbit; /* this is the bit we rotate through all bitpositions */ register u_int tokval; const char * sepstr = "";
+ show +
10
11
12
13
14
15
16
17
18
19
while (lp != NULL && lp->s != NULL) { tokval=lp->v; /* load our first value */ rotbit=1; while (rotbit != 0) { /* * lets AND the rotating bit with our token value * and see if we have got a match */ if (tokval == (v&rotbit)) {

[tcpdump_CVE-2017-13011_1489605141_bittok2str_internal.diff] bittok2str_internal_OLD.c #2
*/ if (tokval == (v&rotbit)) { /* ok we have found something */ - buflen+=snprintf(buf+buflen, sizeof(buf)-buflen, "%s%s", - sepstr, lp->s); + if (space_left <= 1) + return (buf); /* only enough room left for NUL, if that */ + string_size = strlcpy(bufp, sepstr, space_left); + if (string_size >= space_left) + return (buf); /* we ran out of room */ + bufp += string_size; + space_left -= string_size; + if (space_left <= 1) + return (buf); /* only enough room left for NUL, if that */ + string_size = strlcpy(bufp, lp->s, space_left); + if (string_size >= space_left) + return (buf); /* we ran out of room */ + bufp += string_size; + space_left -= string_size; sepstr = sep; break; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13011_before_1mo_1484695535_bittok2str_internal.c
8
9
10
11
12
13
14
15
16
17
register u_int tokval; const char * sepstr = ""; while (lp != NULL && lp->s != NULL) { tokval=lp->v; /* load our first value */ rotbit=1; while (rotbit != 0) { /* * lets AND the rotating bit with our token value * and see if we have got a match
+ show +
18
19
20
21
22
23
24
25
*/ if (tokval == (v&rotbit)) { /* ok we have found something */ buflen+=snprintf(buf+buflen, sizeof(buf)-buflen, "%s%s", sepstr, lp->s); sepstr = sep; break; }
+ show +
26
27
28
29
30
31
32
33
34
35
rotbit=rotbit<<1; /* no match - lets shift and try again */ } lp++; } if (buflen == 0) /* bummer - lets print the "unknown" message as advised in the fmt string if we got one */ (void)snprintf(buf, sizeof(buf), fmt == NULL ? "#%08x" : fmt, v); return (buf); }

[tcpdump_CVE-2017-13013_1489686871_atmarp_print.diff] atmarp_print_OLD.c #1
switch (op) { case ARPOP_REQUEST: - ND_PRINT((ndo, "who-has %s", ipaddr_string(ndo, ATMTPA(ap)))); + ND_PRINT((ndo, "who-has ")); + atmarp_tpaddr_print(ndo, ap, pro); if (ATMTHRD_LEN(ap) != 0) { ND_PRINT((ndo, " (")); atmarp_addr_print(ndo, ATMTHA(ap), ATMTHRD_LEN(ap), ATMTSA(ap), ATMTSLN(ap)); ND_PRINT((ndo, ")")); } - ND_PRINT((ndo, "tell %s", ipaddr_string(ndo, ATMSPA(ap)))); + ND_PRINT((ndo, " tell ")); + atmarp_spaddr_print(ndo, ap, pro); break; case ARPOP_REPLY: - ND_PRINT((ndo, "%s is-at ", ipaddr_string(ndo, ATMSPA(ap)))); + atmarp_spaddr_print(ndo, ap, pro); + ND_PRINT((ndo, " is-at ")); atmarp_addr_print(ndo, ATMSHA(ap), ATMSHRD_LEN(ap), ATMSSA(ap), ATMSSLN(ap)); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13013_before_1mo_1471182139_atmarp_print.c
36
37
38
39
40
41
42
43
44
45
if (!ndo->ndo_vflag) { goto out; } } /* print operation */ ND_PRINT((ndo, "%s%s ", ndo->ndo_vflag ? ", " : "", tok2str(arpop_values, "Unknown (%u)", op)));
+ show +
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
switch (op) { case ARPOP_REQUEST: ND_PRINT((ndo, "who-has %s", ipaddr_string(ndo, ATMTPA(ap)))); if (ATMTHRD_LEN(ap) != 0) { ND_PRINT((ndo, " (")); atmarp_addr_print(ndo, ATMTHA(ap), ATMTHRD_LEN(ap), ATMTSA(ap), ATMTSLN(ap)); ND_PRINT((ndo, ")")); } ND_PRINT((ndo, "tell %s", ipaddr_string(ndo, ATMSPA(ap)))); break; case ARPOP_REPLY: ND_PRINT((ndo, "%s is-at ", ipaddr_string(ndo, ATMSPA(ap)))); atmarp_addr_print(ndo, ATMSHA(ap), ATMSHRD_LEN(ap), ATMSSA(ap), ATMSSLN(ap)); break;
+ show +
64
65
66
67
68
69
70
71
72
73
case ARPOP_INVREQUEST: ND_PRINT((ndo, "who-is ")); atmarp_addr_print(ndo, ATMTHA(ap), ATMTHRD_LEN(ap), ATMTSA(ap), ATMTSLN(ap)); ND_PRINT((ndo, " tell ")); atmarp_addr_print(ndo, ATMSHA(ap), ATMSHRD_LEN(ap), ATMSSA(ap), ATMSSLN(ap)); break;

[tcpdump_CVE-2017-13013_1489686871_atmarp_print.diff] atmarp_print_OLD.c #2
case ARPOP_INVREPLY: atmarp_addr_print(ndo, ATMSHA(ap), ATMSHRD_LEN(ap), ATMSSA(ap), ATMSSLN(ap)); - ND_PRINT((ndo, "at %s", ipaddr_string(ndo, ATMSPA(ap)))); + ND_PRINT((ndo, "at ")); + atmarp_spaddr_print(ndo, ap, pro); break; case ARPOP_NAK: - ND_PRINT((ndo, "for %s", ipaddr_string(ndo, ATMSPA(ap)))); + ND_PRINT((ndo, "for ")); + atmarp_spaddr_print(ndo, ap, pro); break; default:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13013_before_1mo_1471182139_atmarp_print.c
64
65
66
67
68
69
70
71
72
73
case ARPOP_INVREQUEST: ND_PRINT((ndo, "who-is ")); atmarp_addr_print(ndo, ATMTHA(ap), ATMTHRD_LEN(ap), ATMTSA(ap), ATMTSLN(ap)); ND_PRINT((ndo, " tell ")); atmarp_addr_print(ndo, ATMSHA(ap), ATMSHRD_LEN(ap), ATMSSA(ap), ATMSSLN(ap)); break;
+ show +
74
75
76
77
78
79
80
81
82
83
84
case ARPOP_INVREPLY: atmarp_addr_print(ndo, ATMSHA(ap), ATMSHRD_LEN(ap), ATMSSA(ap), ATMSSLN(ap)); ND_PRINT((ndo, "at %s", ipaddr_string(ndo, ATMSPA(ap)))); break; case ARPOP_NAK: ND_PRINT((ndo, "for %s", ipaddr_string(ndo, ATMSPA(ap)))); break; default:
+ show +
85
86
87
88
89
90
91
92
93
94
ND_DEFAULTPRINT((const u_char *)ap, caplen); return; } out: ND_PRINT((ndo, ", length %u", length)); return; trunc: ND_PRINT((ndo, "%s", tstr));

[tcpdump_CVE-2017-13013_1489686871_arp_print.diff] arp_print_OLD.c #2
switch (op) { case ARPOP_REQUEST: - ND_PRINT((ndo, "who-has %s", ipaddr_string(ndo, TPA(ap)))); + ND_PRINT((ndo, "who-has ")); + tpaddr_print_ip(ndo, ap, pro); if (isnonzero((const u_char *)THA(ap), HRD_LEN(ap))) ND_PRINT((ndo, " (%s)", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)))); - ND_PRINT((ndo, " tell %s", ipaddr_string(ndo, SPA(ap)))); + ND_PRINT((ndo, " tell ")); + spaddr_print_ip(ndo, ap, pro); break; case ARPOP_REPLY: - ND_PRINT((ndo, "%s is-at %s", - ipaddr_string(ndo, SPA(ap)), + spaddr_print_ip(ndo, ap, pro); + ND_PRINT((ndo, " is-at %s", linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13013_before_imd_1436324935_arp_print.c
55
56
57
58
59
60
61
62
63
64
if (!ndo->ndo_vflag) { goto out; } } /* print operation */ ND_PRINT((ndo, "%s%s ", ndo->ndo_vflag ? ", " : "", tok2str(arpop_values, "Unknown (%u)", op)));
+ show +
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
switch (op) { case ARPOP_REQUEST: ND_PRINT((ndo, "who-has %s", ipaddr_string(ndo, TPA(ap)))); if (isnonzero((const u_char *)THA(ap), HRD_LEN(ap))) ND_PRINT((ndo, " (%s)", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)))); ND_PRINT((ndo, " tell %s", ipaddr_string(ndo, SPA(ap)))); break; case ARPOP_REPLY: ND_PRINT((ndo, "%s is-at %s", ipaddr_string(ndo, SPA(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break;
+ show +
80
81
82
83
84
85
86
87
88
89
case ARPOP_REVREQUEST: ND_PRINT((ndo, "who-is %s tell %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)), linkaddr_string(ndo, SHA(ap), linkaddr, HRD_LEN(ap)))); break; case ARPOP_REVREPLY: ND_PRINT((ndo, "%s at %s", linkaddr_string(ndo, THA(ap), linkaddr, HRD_LEN(ap)),

[tcpdump_CVE-2017-13014_1489688740_wb_prep.diff] wb_prep_OLD.c #1
const u_char *ep = ndo->ndo_snapend; ND_PRINT((ndo, " wb-prep:")); - if (len < sizeof(*prep)) { + if (len < sizeof(*prep) || !ND_TTEST(*prep)) return (-1); - } n = EXTRACT_32BITS(&prep->pp_n); ps = (const struct pgstate *)(prep + 1); while (--n >= 0 && ND_TTEST(*ps)) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13014_before_1mo_1441831358_wb_prep.c
1
2
3
4
5
6
static int wb_prep(netdissect_options *ndo, const struct pkt_prep *prep, u_int len) { int n; const struct pgstate *ps;
+ show +
7
8
9
10
11
12
13
14
15
const u_char *ep = ndo->ndo_snapend; ND_PRINT((ndo, " wb-prep:")); if (len < sizeof(*prep)) { return (-1); } n = EXTRACT_32BITS(&prep->pp_n); ps = (const struct pgstate *)(prep + 1); while (--n >= 0 && ND_TTEST(*ps)) {
+ show +
16
17
18
19
20
21
22
23
24
25
const struct id_off *io, *ie; char c = '<'; ND_PRINT((ndo, " %u/%s:%u", EXTRACT_32BITS(&ps->slot), ipaddr_string(ndo, &ps->page.p_sid), EXTRACT_32BITS(&ps->page.p_uid))); io = (const struct id_off *)(ps + 1); for (ie = io + ps->nid; io < ie && ND_TTEST(*io); ++io) { ND_PRINT((ndo, "%c%s:%u", c, ipaddr_string(ndo, &io->id),

[tcpdump_CVE-2017-13015_1489690940_eap_print.diff] eap_print_OLD.c #1
switch (eap->type) { case EAP_FRAME_TYPE_PACKET: + ND_TCHECK_8BITS(tptr); type = *(tptr); + ND_TCHECK_16BITS(tptr+2); len = EXTRACT_16BITS(tptr+2); ND_PRINT((ndo, ", %s (%u), id %u, len %u", tok2str(eap_code_values, "unknown", type),
.\cloneFuncs\totalClone\Type-1\CVE-2017-13015_before_imd_1471564715_eap_print.c
25
26
27
28
29
30
31
32
33
34
ND_PRINT((ndo, "%s (%u) v%u, len %u", tok2str(eap_frame_type_values, "unknown", eap->type), eap->type, eap->version, EXTRACT_16BITS(eap->length))); tptr += sizeof(const struct eap_frame_t); tlen -= sizeof(const struct eap_frame_t);
+ show +
35
36
37
38
39
40
switch (eap->type) { case EAP_FRAME_TYPE_PACKET: type = *(tptr); len = EXTRACT_16BITS(tptr+2); ND_PRINT((ndo, ", %s (%u), id %u, len %u", tok2str(eap_code_values, "unknown", type),
+ show +
41
42
43
44
45
46
47
48
49
50
type, *(tptr+1), len)); ND_TCHECK2(*tptr, len); if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */ subtype = *(tptr+4); ND_PRINT((ndo, "\n\t\t Type %s (%u)", tok2str(eap_type_values, "unknown", *(tptr+4)),
.\cloneFuncs\totalClone\Type-2\CVE-2017-13015_before_1mo_1471267648_eap_print.c
25
26
27
28
29
30
31
32
33
34
ND_PRINT((ndo, "%s (%u) v%u, len %u", tok2str(eap_frame_type_values, "unknown", eap->type), eap->type, eap->version, EXTRACT_16BITS(eap->length))); tptr += sizeof(const struct eap_frame_t); tlen -= sizeof(const struct eap_frame_t);
+ show +
35
36
37
38
39
40
switch (eap->type) { case EAP_FRAME_TYPE_PACKET: type = *(tptr); len = EXTRACT_16BITS(tptr+2); ND_PRINT((ndo, ", %s (%u), id %u, len %u", tok2str(eap_code_values, "unknown", type),
+ show +
41
42
43
44
45
46
47
48
49
50
type, *(tptr+1), len)); ND_TCHECK2(*tptr, len); if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */ subtype = *(tptr+4); ND_PRINT((ndo, "\n\t\t Type %s (%u)", tok2str(eap_type_values, "unknown", *(tptr+4)),

[tcpdump_CVE-2017-13015_1489690940_eap_print.diff] eap_print_OLD.c #2
ND_TCHECK2(*tptr, len); if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */ + ND_TCHECK_8BITS(tptr+4); subtype = *(tptr+4); ND_PRINT((ndo, "\n\t\t Type %s (%u)", - tok2str(eap_type_values, "unknown", *(tptr+4)), - *(tptr + 4))); + tok2str(eap_type_values, "unknown", subtype), + subtype)); switch (subtype) { case EAP_TYPE_IDENTITY:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13015_before_imd_1471564715_eap_print.c
35
36
37
38
39
40
41
42
43
44
switch (eap->type) { case EAP_FRAME_TYPE_PACKET: type = *(tptr); len = EXTRACT_16BITS(tptr+2); ND_PRINT((ndo, ", %s (%u), id %u, len %u", tok2str(eap_code_values, "unknown", type), type, *(tptr+1), len));
+ show +
45
46
47
48
49
50
51
52
53
54
ND_TCHECK2(*tptr, len); if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */ subtype = *(tptr+4); ND_PRINT((ndo, "\n\t\t Type %s (%u)", tok2str(eap_type_values, "unknown", *(tptr+4)), *(tptr + 4))); switch (subtype) { case EAP_TYPE_IDENTITY:
+ show +
55
56
57
58
59
60
61
62
63
64
if (len - 5 > 0) { ND_PRINT((ndo, ", Identity: ")); safeputs(ndo, tptr + 5, len - 5); } break; case EAP_TYPE_NOTIFICATION: if (len - 5 > 0) { ND_PRINT((ndo, ", Notification: ")); safeputs(ndo, tptr + 5, len - 5);
.\cloneFuncs\totalClone\Type-2\CVE-2017-13015_before_1mo_1471267648_eap_print.c
35
36
37
38
39
40
41
42
43
44
switch (eap->type) { case EAP_FRAME_TYPE_PACKET: type = *(tptr); len = EXTRACT_16BITS(tptr+2); ND_PRINT((ndo, ", %s (%u), id %u, len %u", tok2str(eap_code_values, "unknown", type), type, *(tptr+1), len));
+ show +
45
46
47
48
49
50
51
52
53
54
ND_TCHECK2(*tptr, len); if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */ subtype = *(tptr+4); ND_PRINT((ndo, "\n\t\t Type %s (%u)", tok2str(eap_type_values, "unknown", *(tptr+4)), *(tptr + 4))); switch (subtype) { case EAP_TYPE_IDENTITY:
+ show +
55
56
57
58
59
60
61
62
63
64
if (len - 5 > 0) { ND_PRINT((ndo, ", Identity: ")); safeputs(ndo, tptr + 5, len - 5); } break; case EAP_TYPE_NOTIFICATION: if (len - 5 > 0) { ND_PRINT((ndo, ", Notification: ")); safeputs(ndo, tptr + 5, len - 5);

[tcpdump_CVE-2017-13015_1489690940_eap_print.diff] eap_print_OLD.c #3
* type one octet per type */ while (count < len) { + ND_TCHECK_8BITS(tptr+count); ND_PRINT((ndo, " %s (%u),", tok2str(eap_type_values, "unknown", *(tptr+count)), *(tptr + count)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13015_before_imd_1471564715_eap_print.c
64
65
66
67
68
69
70
71
72
73
safeputs(ndo, tptr + 5, len - 5); } break; case EAP_TYPE_NAK: count = 5; /* * one or more octets indicating * the desired authentication
+ show +
74
75
76
77
78
79
* type one octet per type */ while (count < len) { ND_PRINT((ndo, " %s (%u),", tok2str(eap_type_values, "unknown", *(tptr+count)), *(tptr + count)));
+ show +
80
81
82
83
84
85
86
87
88
89
count++; } break; case EAP_TYPE_TTLS: ND_PRINT((ndo, " TTLSv%u", EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */ case EAP_TYPE_TLS: ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
.\cloneFuncs\totalClone\Type-2\CVE-2017-13015_before_1mo_1471267648_eap_print.c
64
65
66
67
68
69
70
71
72
73
safeputs(ndo, tptr + 5, len - 5); } break; case EAP_TYPE_NAK: count = 5; /* * one or more octets indicating * the desired authentication
+ show +
74
75
76
77
78
79
* type one octet per type */ while (count < len) { ND_PRINT((ndo, " %s (%u),", tok2str(eap_type_values, "unknown", *(tptr+count)), *(tptr + count)));
+ show +
80
81
82
83
84
85
86
87
88
89
count++; } break; case EAP_TYPE_TTLS: ND_PRINT((ndo, " TTLSv%u", EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */ case EAP_TYPE_TLS: ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)),

[tcpdump_CVE-2017-13015_1489690940_eap_print.diff] eap_print_OLD.c #4
break; case EAP_TYPE_TTLS: - ND_PRINT((ndo, " TTLSv%u", - EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */ case EAP_TYPE_TLS: + ND_TCHECK_8BITS(tptr + 5); + if (subtype == EAP_TYPE_TTLS) + ND_PRINT((ndo, " TTLSv%u", + EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { + ND_TCHECK_32BITS(tptr + 6); ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } break; case EAP_TYPE_FAST: + ND_TCHECK_8BITS(tptr + 5); ND_PRINT((ndo, " FASTv%u", EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13015_before_imd_1471564715_eap_print.c
72
73
74
75
76
77
78
79
80
81
* one or more octets indicating * the desired authentication * type one octet per type */ while (count < len) { ND_PRINT((ndo, " %s (%u),", tok2str(eap_type_values, "unknown", *(tptr+count)), *(tptr + count))); count++; }
+ show +
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
break; case EAP_TYPE_TTLS: ND_PRINT((ndo, " TTLSv%u", EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */ case EAP_TYPE_TLS: ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } break; case EAP_TYPE_FAST: ND_PRINT((ndo, " FASTv%u", EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,",
+ show +
101
102
103
104
105
106
107
108
109
110
bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } /* FIXME - TLV attributes follow */ break;
.\cloneFuncs\totalClone\Type-2\CVE-2017-13015_before_1mo_1471267648_eap_print.c
72
73
74
75
76
77
78
79
80
81
* one or more octets indicating * the desired authentication * type one octet per type */ while (count < len) { ND_PRINT((ndo, " %s (%u),", tok2str(eap_type_values, "unknown", *(tptr+count)), *(tptr + count))); count++; }
+ show +
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
break; case EAP_TYPE_TTLS: ND_PRINT((ndo, " TTLSv%u", EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */ case EAP_TYPE_TLS: ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } break; case EAP_TYPE_FAST: ND_PRINT((ndo, " FASTv%u", EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,",
+ show +
101
102
103
104
105
106
107
108
109
110
bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } /* FIXME - TLV attributes follow */ break;

[tcpdump_CVE-2017-13015_1489690940_eap_print.diff] eap_print_OLD.c #5
*(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { + ND_TCHECK_32BITS(tptr + 6); ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13015_before_imd_1471564715_eap_print.c
80
81
82
83
84
85
86
87
88
89
count++; } break; case EAP_TYPE_TTLS: ND_PRINT((ndo, " TTLSv%u", EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */ case EAP_TYPE_TLS: ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
+ show +
90
91
92
93
94
*(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); }
+ show +
95
96
97
98
99
100
101
102
103
104
break; case EAP_TYPE_FAST: ND_PRINT((ndo, " FASTv%u", EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13015_before_imd_1471564715_eap_print.c
92
93
94
95
96
97
98
99
100
101
if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } break; case EAP_TYPE_FAST: ND_PRINT((ndo, " FASTv%u", EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
+ show +
102
103
104
105
106
*(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); }
+ show +
107
108
109
110
111
112
113
114
115
116
/* FIXME - TLV attributes follow */ break; case EAP_TYPE_AKA: case EAP_TYPE_SIM: ND_PRINT((ndo, " subtype [%s] 0x%02x,", tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)), *(tptr + 5)));
.\cloneFuncs\totalClone\Type-2\CVE-2017-13015_before_1mo_1471267648_eap_print.c
80
81
82
83
84
85
86
87
88
89
count++; } break; case EAP_TYPE_TTLS: ND_PRINT((ndo, " TTLSv%u", EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */ case EAP_TYPE_TLS: ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
+ show +
90
91
92
93
94
*(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); }
+ show +
95
96
97
98
99
100
101
102
103
104
break; case EAP_TYPE_FAST: ND_PRINT((ndo, " FASTv%u", EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13015_before_1mo_1471267648_eap_print.c
92
93
94
95
96
97
98
99
100
101
if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } break; case EAP_TYPE_FAST: ND_PRINT((ndo, " FASTv%u", EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
+ show +
102
103
104
105
106
*(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); }
+ show +
107
108
109
110
111
112
113
114
115
116
/* FIXME - TLV attributes follow */ break; case EAP_TYPE_AKA: case EAP_TYPE_SIM: ND_PRINT((ndo, " subtype [%s] 0x%02x,", tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)), *(tptr + 5)));

[tcpdump_CVE-2017-13015_1489690940_eap_print.diff] eap_print_OLD.c #6
case EAP_TYPE_AKA: case EAP_TYPE_SIM: + ND_TCHECK_8BITS(tptr + 5); ND_PRINT((ndo, " subtype [%s] 0x%02x,", tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)), *(tptr + 5)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13015_before_imd_1471564715_eap_print.c
101
102
103
104
105
106
107
108
109
110
bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } /* FIXME - TLV attributes follow */ break;
+ show +
111
112
113
114
115
case EAP_TYPE_AKA: case EAP_TYPE_SIM: ND_PRINT((ndo, " subtype [%s] 0x%02x,", tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)), *(tptr + 5)));
+ show +
116
117
118
119
120
121
122
123
124
125
/* FIXME - TLV attributes follow */ break; case EAP_TYPE_MD5_CHALLENGE: case EAP_TYPE_OTP: case EAP_TYPE_GTC: case EAP_TYPE_EXPANDED_TYPES: case EAP_TYPE_EXPERIMENTAL: default:
.\cloneFuncs\totalClone\Type-2\CVE-2017-13015_before_1mo_1471267648_eap_print.c
101
102
103
104
105
106
107
108
109
110
bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } /* FIXME - TLV attributes follow */ break;
+ show +
111
112
113
114
115
case EAP_TYPE_AKA: case EAP_TYPE_SIM: ND_PRINT((ndo, " subtype [%s] 0x%02x,", tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)), *(tptr + 5)));
+ show +
116
117
118
119
120
121
122
123
124
125
/* FIXME - TLV attributes follow */ break; case EAP_TYPE_MD5_CHALLENGE: case EAP_TYPE_OTP: case EAP_TYPE_GTC: case EAP_TYPE_EXPANDED_TYPES: case EAP_TYPE_EXPERIMENTAL: default:

[tcpdump_CVE-2017-13017_1490150451_dhcp6opt_print.diff] dhcp6opt_print_OLD.c #1
ND_PRINT((ndo, "...)")); break; case DH6OPT_RECONF_MSG: + if (optlen != 1) { + ND_PRINT((ndo, " ?)")); + break; + } tp = (const u_char *)(dh6o + 1); switch (*tp) { case DH6_RENEW:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13017_before_imd_1484643706_dhcp6opt_print.c
230
231
232
233
234
235
236
237
238
239
case DH6OPT_INTERFACE_ID: case DH6OPT_SUBSCRIBER_ID: /* * Since we cannot predict the encoding, print hex dump * at most 10 characters. */ tp = (const u_char *)(dh6o + 1); ND_PRINT((ndo, " ")); for (i = 0; i < optlen && i < 10; i++) ND_PRINT((ndo, "%02x", tp[i]));
+ show +
240
241
242
243
244
245
ND_PRINT((ndo, "...)")); break; case DH6OPT_RECONF_MSG: tp = (const u_char *)(dh6o + 1); switch (*tp) { case DH6_RENEW:
+ show +
246
247
248
249
250
251
252
253
254
255
ND_PRINT((ndo, " for renew)")); break; case DH6_INFORM_REQ: ND_PRINT((ndo, " for inf-req)")); break; default: ND_PRINT((ndo, " for ?\?\?(%02x))", *tp)); break; } break;
.\cloneFuncs\totalClone\Type-2\CVE-2017-13017_before_1mo_1484388260_dhcp6opt_print.c
230
231
232
233
234
235
236
237
238
239
case DH6OPT_INTERFACE_ID: case DH6OPT_SUBSCRIBER_ID: /* * Since we cannot predict the encoding, print hex dump * at most 10 characters. */ tp = (const u_char *)(dh6o + 1); ND_PRINT((ndo, " ")); for (i = 0; i < optlen && i < 10; i++) ND_PRINT((ndo, "%02x", tp[i]));
+ show +
240
241
242
243
244
245
ND_PRINT((ndo, "...)")); break; case DH6OPT_RECONF_MSG: tp = (const u_char *)(dh6o + 1); switch (*tp) { case DH6_RENEW:
+ show +
246
247
248
249
250
251
252
253
254
255
ND_PRINT((ndo, " for renew)")); break; case DH6_INFORM_REQ: ND_PRINT((ndo, " for inf-req)")); break; default: ND_PRINT((ndo, " for ?\?\?(%02x))", *tp)); break; } break;
.\cloneFuncs\totalClone\Type-3\CVE-2017-13017_before_6mo_1471182139_dhcp6opt_print.c
229
230
231
232
233
234
235
236
237
238
case DH6OPT_INTERFACE_ID: case DH6OPT_SUBSCRIBER_ID: /* * Since we cannot predict the encoding, print hex dump * at most 10 characters. */ tp = (const u_char *)(dh6o + 1); ND_PRINT((ndo, " ")); for (i = 0; i < optlen && i < 10; i++) ND_PRINT((ndo, "%02x", tp[i]));
+ show +
239
240
241
242
243
244
ND_PRINT((ndo, "...)")); break; case DH6OPT_RECONF_MSG: tp = (const u_char *)(dh6o + 1); switch (*tp) { case DH6_RENEW:
+ show +
245
246
247
248
249
250
251
252
253
254
ND_PRINT((ndo, " for renew)")); break; case DH6_INFORM_REQ: ND_PRINT((ndo, " for inf-req)")); break; default: ND_PRINT((ndo, " for ?\?\?(%02x))", *tp)); break; } break;

[tcpdump_CVE-2017-13018_1490150968_pgm_print.diff] pgm_print_OLD.c #1
ND_PRINT((ndo, "[Total option length leaves no room for final option]")); return; } + if (!ND_TTEST2(*bp, 2)) { + ND_PRINT((ndo, " [|OPT]")); + return; + } opt_type = *bp++; opt_len = *bp++; if (opt_len < PGM_MIN_OPT_LEN) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
303
304
305
306
307
308
309
310
311
312
if (opts_len < 4) { ND_PRINT((ndo, "[Bad total option length %u < 4]", opts_len)); return; } bp += sizeof(uint16_t); ND_PRINT((ndo, " OPTS LEN %d", opts_len)); opts_len -= 4; while (opts_len) { if (opts_len < PGM_MIN_OPT_LEN) {
+ show +
313
314
315
316
317
318
ND_PRINT((ndo, "[Total option length leaves no room for final option]")); return; } opt_type = *bp++; opt_len = *bp++; if (opt_len < PGM_MIN_OPT_LEN) {
+ show +
319
320
321
322
323
324
325
326
327
328
ND_PRINT((ndo, "[Bad option, length %u < %u]", opt_len, PGM_MIN_OPT_LEN)); break; } if (opts_len < opt_len) { ND_PRINT((ndo, "[Total option length leaves no room for final option]")); return; } if (!ND_TTEST2(*bp, opt_len - 2)) { ND_PRINT((ndo, " [|OPT]"));
.\cloneFuncs\totalClone\Type-3\CVE-2017-13018_before_6mo_1442517562_pgm_print.c
345
346
347
348
349
350
351
352
353
354
if (opts_len < 4) { ND_PRINT((ndo, "[Bad total option length %u < 4]", opts_len)); return; } bp += sizeof(uint16_t); ND_PRINT((ndo, " OPTS LEN %d", opts_len)); opts_len -= 4; while (opts_len) { if (opts_len < PGM_MIN_OPT_LEN) {
+ show +
355
356
357
358
359
360
ND_PRINT((ndo, "[Total option length leaves no room for final option]")); return; } opt_type = *bp++; opt_len = *bp++; if (opt_len < PGM_MIN_OPT_LEN) {
+ show +
361
362
363
364
365
366
367
368
369
370
ND_PRINT((ndo, "[Bad option, length %u < %u]", opt_len, PGM_MIN_OPT_LEN)); break; } if (opts_len < opt_len) { ND_PRINT((ndo, "[Total option length leaves no room for final option]")); return; } if (!ND_TTEST2(*bp, opt_len - 2)) { ND_PRINT((ndo, " [|OPT]"));

[tcpdump_CVE-2017-13019_1490158185_pgm_print.diff] pgm_print_OLD.c #1
switch (opt_type & PGM_OPT_MASK) { case PGM_OPT_LENGTH: - if (opt_len != 4) { - ND_PRINT((ndo, "[Bad OPT_LENGTH option, length %u != 4]", opt_len)); +#define PGM_OPT_LENGTH_LEN (2+2) + if (opt_len != PGM_OPT_LENGTH_LEN) { + ND_PRINT((ndo, "[Bad OPT_LENGTH option, length %u != %u]", + opt_len, PGM_OPT_LENGTH_LEN)); return; } ND_PRINT((ndo, " OPTS LEN (extra?) %d", EXTRACT_16BITS(bp))); - bp += sizeof(uint16_t); - opts_len -= 4; + bp += 2; + opts_len -= PGM_OPT_LENGTH_LEN; break; case PGM_OPT_FRAGMENT: - if (opt_len != 16) { - ND_PRINT((ndo, "[Bad OPT_FRAGMENT option, length %u != 16]", opt_len)); +#define PGM_OPT_FRAGMENT_LEN (2+2+4+4+4) + if (opt_len != PGM_OPT_FRAGMENT_LEN) { + ND_PRINT((ndo, "[Bad OPT_FRAGMENT option, length %u != %u]", + opt_len, PGM_OPT_FRAGMENT_LEN)); return; } bp += 2; seq = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; offset = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; len = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; ND_PRINT((ndo, " FRAG seq %u off %u len %u", seq, offset, len)); - opts_len -= 16; + opts_len -= PGM_OPT_FRAGMENT_LEN; break; case PGM_OPT_NAK_LIST: bp += 2; - opt_len -= sizeof(uint32_t); /* option header */ + opt_len -= 4; /* option header */ ND_PRINT((ndo, " NAK LIST")); while (opt_len) { - if (opt_len < sizeof(uint32_t)) { + if (opt_len < 4) { ND_PRINT((ndo, "[Option length not a multiple of 4]")); return; } - ND_TCHECK2(*bp, sizeof(uint32_t)); + ND_TCHECK2(*bp, 4); ND_PRINT((ndo, " %u", EXTRACT_32BITS(bp))); - bp += sizeof(uint32_t); - opt_len -= sizeof(uint32_t); - opts_len -= sizeof(uint32_t); + bp += 4; + opt_len -= 4; + opts_len -= 4; } break; case PGM_OPT_JOIN: - if (opt_len != 8) { - ND_PRINT((ndo, "[Bad OPT_JOIN option, length %u != 8]", opt_len)); +#define PGM_OPT_JOIN_LEN (2+2+4) + if (opt_len != PGM_OPT_JOIN_LEN) { + ND_PRINT((ndo, "[Bad OPT_JOIN option, length %u != %u]", + opt_len, PGM_OPT_JOIN_LEN)); return; } bp += 2; seq = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; ND_PRINT((ndo, " JOIN %u", seq)); - opts_len -= 8; + opts_len -= PGM_OPT_JOIN_LEN; break; case PGM_OPT_NAK_BO_IVL: - if (opt_len != 12) { - ND_PRINT((ndo, "[Bad OPT_NAK_BO_IVL option, length %u != 12]", opt_len)); +#define PGM_OPT_NAK_BO_IVL_LEN (2+2+4+4) + if (opt_len != PGM_OPT_NAK_BO_IVL_LEN) { + ND_PRINT((ndo, "[Bad OPT_NAK_BO_IVL option, length %u != %u]", + opt_len, PGM_OPT_NAK_BO_IVL_LEN)); return; } bp += 2; offset = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; seq = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; ND_PRINT((ndo, " BACKOFF ivl %u ivlseq %u", offset, seq)); - opts_len -= 12; + opts_len -= PGM_OPT_NAK_BO_IVL_LEN; break; case PGM_OPT_NAK_BO_RNG: - if (opt_len != 12) { - ND_PRINT((ndo, "[Bad OPT_NAK_BO_RNG option, length %u != 12]", opt_len)); +#define PGM_OPT_NAK_BO_RNG_LEN (2+2+4+4) + if (opt_len != PGM_OPT_NAK_BO_RNG_LEN) { + ND_PRINT((ndo, "[Bad OPT_NAK_BO_RNG option, length %u != %u]", + opt_len, PGM_OPT_NAK_BO_RNG_LEN)); return; } bp += 2; offset = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; seq = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; ND_PRINT((ndo, " BACKOFF max %u min %u", offset, seq)); - opts_len -= 12; + opts_len -= PGM_OPT_NAK_BO_RNG_LEN; break; case PGM_OPT_REDIRECT: +#define PGM_OPT_REDIRECT_FIXED_LEN (2+2+2+2) + if (opt_len < PGM_OPT_REDIRECT_FIXED_LEN) { + ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u < %u]", + opt_len, PGM_OPT_REDIRECT_FIXED_LEN)); + return; + } bp += 2; nla_afnum = EXTRACT_16BITS(bp); - bp += (2 * sizeof(uint16_t)); + bp += 2+2; switch (nla_afnum) { case AFNUM_INET: - if (opt_len != 4 + sizeof(struct in_addr)) { - ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len)); + if (opt_len != PGM_OPT_REDIRECT_FIXED_LEN + sizeof(struct in_addr)) { + ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != %u + address size]", + opt_len, PGM_OPT_REDIRECT_FIXED_LEN)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); - opts_len -= 4 + sizeof(struct in_addr); + opts_len -= PGM_OPT_REDIRECT_FIXED_LEN + sizeof(struct in_addr); break; case AFNUM_INET6: - if (opt_len != 4 + sizeof(struct in6_addr)) { - ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len)); + if (opt_len != PGM_OPT_REDIRECT_FIXED_LEN + sizeof(struct in6_addr)) { + ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != %u + address size]", + PGM_OPT_REDIRECT_FIXED_LEN, opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); - opts_len -= 4 + sizeof(struct in6_addr); + opts_len -= PGM_OPT_REDIRECT_FIXED_LEN + sizeof(struct in6_addr); break; default: goto trunc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
322
323
324
325
326
327
328
329
330
331
} if (opts_len < opt_len) { ND_PRINT((ndo, "[Total option length leaves no room for final option]")); return; } if (!ND_TTEST2(*bp, opt_len - 2)) { ND_PRINT((ndo, " [|OPT]")); return; }
+ show +
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
switch (opt_type & PGM_OPT_MASK) { case PGM_OPT_LENGTH: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_LENGTH option, length %u != 4]", opt_len)); return; } ND_PRINT((ndo, " OPTS LEN (extra?) %d", EXTRACT_16BITS(bp))); bp += sizeof(uint16_t); opts_len -= 4; break; case PGM_OPT_FRAGMENT: if (opt_len != 16) { ND_PRINT((ndo, "[Bad OPT_FRAGMENT option, length %u != 16]", opt_len)); return; } bp += 2; seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); len = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " FRAG seq %u off %u len %u", seq, offset, len)); opts_len -= 16; break; case PGM_OPT_NAK_LIST: bp += 2; opt_len -= sizeof(uint32_t); /* option header */ ND_PRINT((ndo, " NAK LIST")); while (opt_len) { if (opt_len < sizeof(uint32_t)) { ND_PRINT((ndo, "[Option length not a multiple of 4]")); return; } ND_TCHECK2(*bp, sizeof(uint32_t)); ND_PRINT((ndo, " %u", EXTRACT_32BITS(bp))); bp += sizeof(uint32_t); opt_len -= sizeof(uint32_t); opts_len -= sizeof(uint32_t); } break; case PGM_OPT_JOIN: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_JOIN option, length %u != 8]", opt_len)); return; } bp += 2; seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " JOIN %u", seq)); opts_len -= 8; break; case PGM_OPT_NAK_BO_IVL: if (opt_len != 12) { ND_PRINT((ndo, "[Bad OPT_NAK_BO_IVL option, length %u != 12]", opt_len)); return; } bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " BACKOFF ivl %u ivlseq %u", offset, seq)); opts_len -= 12; break; case PGM_OPT_NAK_BO_RNG: if (opt_len != 12) { ND_PRINT((ndo, "[Bad OPT_NAK_BO_RNG option, length %u != 12]", opt_len)); return; } bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " BACKOFF max %u min %u", offset, seq)); opts_len -= 12; break; case PGM_OPT_REDIRECT: bp += 2; nla_afnum = EXTRACT_16BITS(bp); bp += (2 * sizeof(uint16_t)); switch (nla_afnum) { case AFNUM_INET: if (opt_len != 4 + sizeof(struct in_addr)) { ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); opts_len -= 4 + sizeof(struct in_addr); break; case AFNUM_INET6: if (opt_len != 4 + sizeof(struct in6_addr)) { ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 4 + sizeof(struct in6_addr); break; default: goto trunc;
+ show +
443
444
445
446
447
448
449
450
451
452
break; } ND_PRINT((ndo, " REDIRECT %s", nla_buf)); break; case PGM_OPT_PARITY_PRM: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len)); return;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
326
327
328
329
330
331
332
333
334
335
} if (opts_len < opt_len) { ND_PRINT((ndo, "[Total option length leaves no room for final option]")); return; } if (!ND_TTEST2(*bp, opt_len - 2)) { ND_PRINT((ndo, " [|OPT]")); return; }
+ show +
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
switch (opt_type & PGM_OPT_MASK) { case PGM_OPT_LENGTH: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_LENGTH option, length %u != 4]", opt_len)); return; } ND_PRINT((ndo, " OPTS LEN (extra?) %d", EXTRACT_16BITS(bp))); bp += sizeof(uint16_t); opts_len -= 4; break; case PGM_OPT_FRAGMENT: if (opt_len != 16) { ND_PRINT((ndo, "[Bad OPT_FRAGMENT option, length %u != 16]", opt_len)); return; } bp += 2; seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); len = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " FRAG seq %u off %u len %u", seq, offset, len)); opts_len -= 16; break; case PGM_OPT_NAK_LIST: bp += 2; opt_len -= sizeof(uint32_t); /* option header */ ND_PRINT((ndo, " NAK LIST")); while (opt_len) { if (opt_len < sizeof(uint32_t)) { ND_PRINT((ndo, "[Option length not a multiple of 4]")); return; } ND_TCHECK2(*bp, sizeof(uint32_t)); ND_PRINT((ndo, " %u", EXTRACT_32BITS(bp))); bp += sizeof(uint32_t); opt_len -= sizeof(uint32_t); opts_len -= sizeof(uint32_t); } break; case PGM_OPT_JOIN: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_JOIN option, length %u != 8]", opt_len)); return; } bp += 2; seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " JOIN %u", seq)); opts_len -= 8; break; case PGM_OPT_NAK_BO_IVL: if (opt_len != 12) { ND_PRINT((ndo, "[Bad OPT_NAK_BO_IVL option, length %u != 12]", opt_len)); return; } bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " BACKOFF ivl %u ivlseq %u", offset, seq)); opts_len -= 12; break; case PGM_OPT_NAK_BO_RNG: if (opt_len != 12) { ND_PRINT((ndo, "[Bad OPT_NAK_BO_RNG option, length %u != 12]", opt_len)); return; } bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " BACKOFF max %u min %u", offset, seq)); opts_len -= 12; break; case PGM_OPT_REDIRECT: bp += 2; nla_afnum = EXTRACT_16BITS(bp); bp += (2 * sizeof(uint16_t)); switch (nla_afnum) { case AFNUM_INET: if (opt_len != 4 + sizeof(struct in_addr)) { ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); opts_len -= 4 + sizeof(struct in_addr); break; case AFNUM_INET6: if (opt_len != 4 + sizeof(struct in6_addr)) { ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 4 + sizeof(struct in6_addr); break; default: goto trunc;
+ show +
447
448
449
450
451
452
453
454
455
456
break; } ND_PRINT((ndo, " REDIRECT %s", nla_buf)); break; case PGM_OPT_PARITY_PRM: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len)); return;

[tcpdump_CVE-2017-13019_1490158185_pgm_print.diff] pgm_print_OLD.c #2
break; case PGM_OPT_PARITY_PRM: - if (opt_len != 8) { - ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len)); +#define PGM_OPT_PARITY_PRM_LEN (2+2+4) + if (opt_len != PGM_OPT_PARITY_PRM_LEN) { + ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != %u]", + opt_len, PGM_OPT_PARITY_PRM_LEN)); return; } bp += 2; len = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; ND_PRINT((ndo, " PARITY MAXTGS %u", len)); - opts_len -= 8; + opts_len -= PGM_OPT_PARITY_PRM_LEN; break; case PGM_OPT_PARITY_GRP: - if (opt_len != 8) { - ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != 8]", opt_len)); +#define PGM_OPT_PARITY_GRP_LEN (2+2+4) + if (opt_len != PGM_OPT_PARITY_GRP_LEN) { + ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != %u]", + opt_len, PGM_OPT_PARITY_GRP_LEN)); return; } bp += 2; seq = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; ND_PRINT((ndo, " PARITY GROUP %u", seq)); - opts_len -= 8; + opts_len -= PGM_OPT_PARITY_GRP_LEN; break; case PGM_OPT_CURR_TGSIZE: - if (opt_len != 8) { - ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != 8]", opt_len)); +#define PGM_OPT_CURR_TGSIZE_LEN (2+2+4) + if (opt_len != PGM_OPT_CURR_TGSIZE_LEN) { + ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != %u]", + opt_len, PGM_OPT_CURR_TGSIZE_LEN)); return; } bp += 2; len = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; ND_PRINT((ndo, " PARITY ATGS %u", len)); - opts_len -= 8; + opts_len -= PGM_OPT_CURR_TGSIZE_LEN; break; case PGM_OPT_NBR_UNREACH: - if (opt_len != 4) { - ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != 4]", opt_len)); +#define PGM_OPT_NBR_UNREACH_LEN (2+2) + if (opt_len != PGM_OPT_NBR_UNREACH_LEN) { + ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != %u]", + opt_len, PGM_OPT_NBR_UNREACH_LEN)); return; } bp += 2; ND_PRINT((ndo, " NBR_UNREACH")); - opts_len -= 4; + opts_len -= PGM_OPT_NBR_UNREACH_LEN; break; case PGM_OPT_PATH_NLA:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
437
438
439
440
441
442
443
444
445
446
addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 4 + sizeof(struct in6_addr); break; default: goto trunc; break; } ND_PRINT((ndo, " REDIRECT %s", nla_buf));
+ show +
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
break; case PGM_OPT_PARITY_PRM: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len)); return; } bp += 2; len = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY MAXTGS %u", len)); opts_len -= 8; break; case PGM_OPT_PARITY_GRP: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != 8]", opt_len)); return; } bp += 2; seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY GROUP %u", seq)); opts_len -= 8; break; case PGM_OPT_CURR_TGSIZE: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != 8]", opt_len)); return; } bp += 2; len = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY ATGS %u", len)); opts_len -= 8; break; case PGM_OPT_NBR_UNREACH: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " NBR_UNREACH")); opts_len -= 4; break; case PGM_OPT_PATH_NLA:
+ show +
496
497
498
499
500
501
502
503
504
505
ND_PRINT((ndo, " PATH_NLA [%d]", opt_len)); bp += opt_len; opts_len -= opt_len; break; case PGM_OPT_SYN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len)); return; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
441
442
443
444
445
446
447
448
449
450
addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 4 + sizeof(struct in6_addr); break; default: goto trunc; break; } ND_PRINT((ndo, " REDIRECT %s", nla_buf));
+ show +
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
break; case PGM_OPT_PARITY_PRM: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len)); return; } bp += 2; len = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY MAXTGS %u", len)); opts_len -= 8; break; case PGM_OPT_PARITY_GRP: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != 8]", opt_len)); return; } bp += 2; seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY GROUP %u", seq)); opts_len -= 8; break; case PGM_OPT_CURR_TGSIZE: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != 8]", opt_len)); return; } bp += 2; len = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY ATGS %u", len)); opts_len -= 8; break; case PGM_OPT_NBR_UNREACH: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " NBR_UNREACH")); opts_len -= 4; break; case PGM_OPT_PATH_NLA:
+ show +
500
501
502
503
504
505
506
507
508
509
ND_PRINT((ndo, " PATH_NLA [%d]", opt_len)); bp += opt_len; opts_len -= opt_len; break; case PGM_OPT_SYN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len)); return; }
.\cloneFuncs\totalClone\Type-3\CVE-2017-13018_before_6mo_1442517562_pgm_print.c
477
478
479
480
481
482
483
484
485
486
ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len)); return; } ND_TCHECK2(*bp, addr_size); nla = bp; bp += addr_size; inet_ntop(nla_af, nla, nla_buf, sizeof(nla_buf)); ND_PRINT((ndo, " REDIRECT %s", nla_buf)); opts_len -= 4 + addr_size;
+ show +
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
break; case PGM_OPT_PARITY_PRM: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len)); return; } bp += 2; len = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY MAXTGS %u", len)); opts_len -= 8; break; case PGM_OPT_PARITY_GRP: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != 8]", opt_len)); return; } bp += 2; seq = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY GROUP %u", seq)); opts_len -= 8; break; case PGM_OPT_CURR_TGSIZE: if (opt_len != 8) { ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != 8]", opt_len)); return; } bp += 2; len = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); ND_PRINT((ndo, " PARITY ATGS %u", len)); opts_len -= 8; break; case PGM_OPT_NBR_UNREACH: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " NBR_UNREACH")); opts_len -= 4; break; case PGM_OPT_PATH_NLA:
+ show +
536
537
538
539
540
541
542
543
544
545
ND_PRINT((ndo, " PATH_NLA [%d]", opt_len)); bp += opt_len; opts_len -= opt_len; break; case PGM_OPT_SYN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len)); return; }

[tcpdump_CVE-2017-13019_1490158185_pgm_print.diff] pgm_print_OLD.c #3
break; case PGM_OPT_SYN: - if (opt_len != 4) { - ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len)); +#define PGM_OPT_SYN_LEN (2+2) + if (opt_len != PGM_OPT_SYN_LEN) { + ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != %u]", + opt_len, PGM_OPT_SYN_LEN)); return; } bp += 2; ND_PRINT((ndo, " SYN")); - opts_len -= 4; + opts_len -= PGM_OPT_SYN_LEN; break; case PGM_OPT_FIN: - if (opt_len != 4) { - ND_PRINT((ndo, "[Bad OPT_FIN option, length %u != 4]", opt_len)); +#define PGM_OPT_FIN_LEN (2+2) + if (opt_len != PGM_OPT_FIN_LEN) { + ND_PRINT((ndo, "[Bad OPT_FIN option, length %u != %u]", + opt_len, PGM_OPT_FIN_LEN)); return; } bp += 2; ND_PRINT((ndo, " FIN")); - opts_len -= 4; + opts_len -= PGM_OPT_FIN_LEN; break; case PGM_OPT_RST: - if (opt_len != 4) { - ND_PRINT((ndo, "[Bad OPT_RST option, length %u != 4]", opt_len)); +#define PGM_OPT_RST_LEN (2+2) + if (opt_len != PGM_OPT_RST_LEN) { + ND_PRINT((ndo, "[Bad OPT_RST option, length %u != %u]", + opt_len, PGM_OPT_RST_LEN)); return; } bp += 2; ND_PRINT((ndo, " RST")); - opts_len -= 4; + opts_len -= PGM_OPT_RST_LEN; break; case PGM_OPT_CR:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
489
490
491
492
493
494
495
496
497
498
} bp += 2; ND_PRINT((ndo, " NBR_UNREACH")); opts_len -= 4; break; case PGM_OPT_PATH_NLA: ND_PRINT((ndo, " PATH_NLA [%d]", opt_len)); bp += opt_len; opts_len -= opt_len;
+ show +
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
break; case PGM_OPT_SYN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " SYN")); opts_len -= 4; break; case PGM_OPT_FIN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_FIN option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " FIN")); opts_len -= 4; break; case PGM_OPT_RST: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_RST option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " RST")); opts_len -= 4; break; case PGM_OPT_CR:
+ show +
532
533
534
535
536
537
538
539
540
541
ND_PRINT((ndo, " CR")); bp += opt_len; opts_len -= opt_len; break; case PGM_OPT_CRQST: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len)); return; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
493
494
495
496
497
498
499
500
501
502
} bp += 2; ND_PRINT((ndo, " NBR_UNREACH")); opts_len -= 4; break; case PGM_OPT_PATH_NLA: ND_PRINT((ndo, " PATH_NLA [%d]", opt_len)); bp += opt_len; opts_len -= opt_len;
+ show +
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
break; case PGM_OPT_SYN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " SYN")); opts_len -= 4; break; case PGM_OPT_FIN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_FIN option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " FIN")); opts_len -= 4; break; case PGM_OPT_RST: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_RST option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " RST")); opts_len -= 4; break; case PGM_OPT_CR:
+ show +
536
537
538
539
540
541
542
543
544
545
ND_PRINT((ndo, " CR")); bp += opt_len; opts_len -= opt_len; break; case PGM_OPT_CRQST: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len)); return; }
.\cloneFuncs\totalClone\Type-3\CVE-2017-13018_before_6mo_1442517562_pgm_print.c
529
530
531
532
533
534
535
536
537
538
} bp += 2; ND_PRINT((ndo, " NBR_UNREACH")); opts_len -= 4; break; case PGM_OPT_PATH_NLA: ND_PRINT((ndo, " PATH_NLA [%d]", opt_len)); bp += opt_len; opts_len -= opt_len;
+ show +
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
break; case PGM_OPT_SYN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " SYN")); opts_len -= 4; break; case PGM_OPT_FIN: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_FIN option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " FIN")); opts_len -= 4; break; case PGM_OPT_RST: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_RST option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " RST")); opts_len -= 4; break; case PGM_OPT_CR:
+ show +
572
573
574
575
576
577
578
579
580
581
ND_PRINT((ndo, " CR")); bp += opt_len; opts_len -= opt_len; break; case PGM_OPT_CRQST: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len)); return; }

[tcpdump_CVE-2017-13019_1490158185_pgm_print.diff] pgm_print_OLD.c #4
break; case PGM_OPT_CRQST: - if (opt_len != 4) { - ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len)); +#define PGM_OPT_CRQST_LEN (2+2) + if (opt_len != PGM_OPT_CRQST_LEN) { + ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != %u]", + opt_len, PGM_OPT_CRQST_LEN)); return; } bp += 2; ND_PRINT((ndo, " CRQST")); - opts_len -= 4; + opts_len -= PGM_OPT_CRQST_LEN; break; case PGM_OPT_PGMCC_DATA: +#define PGM_OPT_PGMCC_DATA_FIXED_LEN (2+2+4+2+2) + if (opt_len < PGM_OPT_PGMCC_DATA_FIXED_LEN) { + ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u < %u]", + opt_len, PGM_OPT_PGMCC_DATA_FIXED_LEN)); + return; + } bp += 2; offset = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; nla_afnum = EXTRACT_16BITS(bp); - bp += (2 * sizeof(uint16_t)); + bp += 2+2; switch (nla_afnum) { case AFNUM_INET: - if (opt_len != 12 + sizeof(struct in_addr)) { - ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); + if (opt_len != PGM_OPT_PGMCC_DATA_FIXED_LEN + sizeof(struct in_addr)) { + ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != %u + address size]", + opt_len, PGM_OPT_PGMCC_DATA_FIXED_LEN)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); - opts_len -= 12 + sizeof(struct in_addr); + opts_len -= PGM_OPT_PGMCC_DATA_FIXED_LEN + sizeof(struct in_addr); break; case AFNUM_INET6: - if (opt_len != 12 + sizeof(struct in6_addr)) { - ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); + if (opt_len != PGM_OPT_PGMCC_DATA_FIXED_LEN + sizeof(struct in6_addr)) { + ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != %u + address size]", + opt_len, PGM_OPT_PGMCC_DATA_FIXED_LEN)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); - opts_len -= 12 + sizeof(struct in6_addr); + opts_len -= PGM_OPT_PGMCC_DATA_FIXED_LEN + sizeof(struct in6_addr); break; default: goto trunc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
525
526
527
528
529
530
531
532
533
534
} bp += 2; ND_PRINT((ndo, " RST")); opts_len -= 4; break; case PGM_OPT_CR: ND_PRINT((ndo, " CR")); bp += opt_len; opts_len -= opt_len;
+ show +
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
break; case PGM_OPT_CRQST: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " CRQST")); opts_len -= 4; break; case PGM_OPT_PGMCC_DATA: bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); nla_afnum = EXTRACT_16BITS(bp); bp += (2 * sizeof(uint16_t)); switch (nla_afnum) { case AFNUM_INET: if (opt_len != 12 + sizeof(struct in_addr)) { ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); opts_len -= 12 + sizeof(struct in_addr); break; case AFNUM_INET6: if (opt_len != 12 + sizeof(struct in6_addr)) { ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 12 + sizeof(struct in6_addr); break; default: goto trunc;
+ show +
576
577
578
579
580
581
582
583
584
585
break; } ND_PRINT((ndo, " PGMCC DATA %u %s", offset, nla_buf)); break; case PGM_OPT_PGMCC_FEEDBACK: bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
529
530
531
532
533
534
535
536
537
538
} bp += 2; ND_PRINT((ndo, " RST")); opts_len -= 4; break; case PGM_OPT_CR: ND_PRINT((ndo, " CR")); bp += opt_len; opts_len -= opt_len;
+ show +
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
break; case PGM_OPT_CRQST: if (opt_len != 4) { ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len)); return; } bp += 2; ND_PRINT((ndo, " CRQST")); opts_len -= 4; break; case PGM_OPT_PGMCC_DATA: bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); nla_afnum = EXTRACT_16BITS(bp); bp += (2 * sizeof(uint16_t)); switch (nla_afnum) { case AFNUM_INET: if (opt_len != 12 + sizeof(struct in_addr)) { ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); opts_len -= 12 + sizeof(struct in_addr); break; case AFNUM_INET6: if (opt_len != 12 + sizeof(struct in6_addr)) { ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 12 + sizeof(struct in6_addr); break; default: goto trunc;
+ show +
580
581
582
583
584
585
586
587
588
589
break; } ND_PRINT((ndo, " PGMCC DATA %u %s", offset, nla_buf)); break; case PGM_OPT_PGMCC_FEEDBACK: bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t);

[tcpdump_CVE-2017-13019_1490158185_pgm_print.diff] pgm_print_OLD.c #5
break; case PGM_OPT_PGMCC_FEEDBACK: +#define PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN (2+2+4+2+2) + if (opt_len < PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN) { + ND_PRINT((ndo, "[Bad PGM_OPT_PGMCC_FEEDBACK option, length %u < %u]", + opt_len, PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN)); + return; + } bp += 2; offset = EXTRACT_32BITS(bp); - bp += sizeof(uint32_t); + bp += 4; nla_afnum = EXTRACT_16BITS(bp); - bp += (2 * sizeof(uint16_t)); + bp += 2+2; switch (nla_afnum) { case AFNUM_INET: - if (opt_len != 12 + sizeof(struct in_addr)) { - ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); + if (opt_len != PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN + sizeof(struct in_addr)) { + ND_PRINT((ndo, "[Bad OPT_PGMCC_FEEDBACK option, length %u != %u + address size]", + opt_len, PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); - opts_len -= 12 + sizeof(struct in_addr); + opts_len -= PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN + sizeof(struct in_addr); break; case AFNUM_INET6: - if (opt_len != 12 + sizeof(struct in6_addr)) { - ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); + if (opt_len != PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN + sizeof(struct in6_addr)) { + ND_PRINT((ndo, "[Bad OPT_PGMCC_FEEDBACK option, length %u != %u + address size]", + opt_len, PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); - opts_len -= 12 + sizeof(struct in6_addr); + opts_len -= PGM_OPT_PGMCC_FEEDBACK_FIXED_LEN + sizeof(struct in6_addr); break; default: goto trunc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
570
571
572
573
574
575
576
577
578
579
addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 12 + sizeof(struct in6_addr); break; default: goto trunc; break; } ND_PRINT((ndo, " PGMCC DATA %u %s", offset, nla_buf));
+ show +
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
break; case PGM_OPT_PGMCC_FEEDBACK: bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); nla_afnum = EXTRACT_16BITS(bp); bp += (2 * sizeof(uint16_t)); switch (nla_afnum) { case AFNUM_INET: if (opt_len != 12 + sizeof(struct in_addr)) { ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); opts_len -= 12 + sizeof(struct in_addr); break; case AFNUM_INET6: if (opt_len != 12 + sizeof(struct in6_addr)) { ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 12 + sizeof(struct in6_addr); break; default: goto trunc;
+ show +
611
612
613
614
615
616
617
618
619
620
break; } ND_PRINT((ndo, " PGMCC FEEDBACK %u %s", offset, nla_buf)); break; default: ND_PRINT((ndo, " OPT_%02X [%d] ", opt_type, opt_len)); bp += opt_len; opts_len -= opt_len;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
574
575
576
577
578
579
580
581
582
583
addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 12 + sizeof(struct in6_addr); break; default: goto trunc; break; } ND_PRINT((ndo, " PGMCC DATA %u %s", offset, nla_buf));
+ show +
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
break; case PGM_OPT_PGMCC_FEEDBACK: bp += 2; offset = EXTRACT_32BITS(bp); bp += sizeof(uint32_t); nla_afnum = EXTRACT_16BITS(bp); bp += (2 * sizeof(uint16_t)); switch (nla_afnum) { case AFNUM_INET: if (opt_len != 12 + sizeof(struct in_addr)) { ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in_addr)); addrtostr(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in_addr); opts_len -= 12 + sizeof(struct in_addr); break; case AFNUM_INET6: if (opt_len != 12 + sizeof(struct in6_addr)) { ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len)); return; } ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, nla_buf, sizeof(nla_buf)); bp += sizeof(struct in6_addr); opts_len -= 12 + sizeof(struct in6_addr); break; default: goto trunc;
+ show +
615
616
617
618
619
620
621
622
623
624
break; } ND_PRINT((ndo, " PGMCC FEEDBACK %u %s", offset, nla_buf)); break; default: ND_PRINT((ndo, " OPT_%02X [%d] ", opt_type, opt_len)); bp += opt_len; opts_len -= opt_len;

[tcpdump_CVE-2017-13034_1490303490_pgm_print.diff] pgm_print_OLD.c #1
ND_PRINT((ndo, "%s > %s: [|pgm]", ip6addr_string(ndo, &ip6->ip6_src), ip6addr_string(ndo, &ip6->ip6_dst))); - return; } else { ND_PRINT((ndo, "%s > %s: [|pgm]", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst))); - return; } + return; } sport = EXTRACT_16BITS(&pgm->pgm_sport);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
15
16
17
18
19
20
21
22
23
24
pgm = (const struct pgm_header *)bp; ip = (const struct ip *)bp2; if (IP_V(ip) == 6) ip6 = (const struct ip6_hdr *)bp2; else ip6 = NULL; ch = '\0'; if (!ND_TTEST(pgm->pgm_dport)) { if (ip6) {
+ show +
25
26
27
28
29
30
31
32
33
34
35
36
37
ND_PRINT((ndo, "%s > %s: [|pgm]", ip6addr_string(ndo, &ip6->ip6_src), ip6addr_string(ndo, &ip6->ip6_dst))); return; } else { ND_PRINT((ndo, "%s > %s: [|pgm]", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst))); return; } } sport = EXTRACT_16BITS(&pgm->pgm_sport);
+ show +
38
39
40
41
42
43
44
45
46
47
dport = EXTRACT_16BITS(&pgm->pgm_dport); if (ip6) { if (ip6->ip6_nxt == IPPROTO_PGM) { ND_PRINT((ndo, "%s.%s > %s.%s: ", ip6addr_string(ndo, &ip6->ip6_src), tcpport_string(ndo, sport), ip6addr_string(ndo, &ip6->ip6_dst), tcpport_string(ndo, dport))); } else {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
15
16
17
18
19
20
21
22
23
24
pgm = (const struct pgm_header *)bp; ip = (const struct ip *)bp2; if (IP_V(ip) == 6) ip6 = (const struct ip6_hdr *)bp2; else ip6 = NULL; ch = '\0'; if (!ND_TTEST(pgm->pgm_dport)) { if (ip6) {
+ show +
25
26
27
28
29
30
31
32
33
34
35
36
37
ND_PRINT((ndo, "%s > %s: [|pgm]", ip6addr_string(ndo, &ip6->ip6_src), ip6addr_string(ndo, &ip6->ip6_dst))); return; } else { ND_PRINT((ndo, "%s > %s: [|pgm]", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst))); return; } } sport = EXTRACT_16BITS(&pgm->pgm_sport);
+ show +
38
39
40
41
42
43
44
45
46
47
dport = EXTRACT_16BITS(&pgm->pgm_dport); if (ip6) { if (ip6->ip6_nxt == IPPROTO_PGM) { ND_PRINT((ndo, "%s.%s > %s.%s: ", ip6addr_string(ndo, &ip6->ip6_src), tcpport_string(ndo, sport), ip6addr_string(ndo, &ip6->ip6_dst), tcpport_string(ndo, dport))); } else {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13034_before_imd_1490158185_pgm_print.c
15
16
17
18
19
20
21
22
23
24
pgm = (const struct pgm_header *)bp; ip = (const struct ip *)bp2; if (IP_V(ip) == 6) ip6 = (const struct ip6_hdr *)bp2; else ip6 = NULL; ch = '\0'; if (!ND_TTEST(pgm->pgm_dport)) { if (ip6) {
+ show +
25
26
27
28
29
30
31
32
33
34
35
36
37
ND_PRINT((ndo, "%s > %s: [|pgm]", ip6addr_string(ndo, &ip6->ip6_src), ip6addr_string(ndo, &ip6->ip6_dst))); return; } else { ND_PRINT((ndo, "%s > %s: [|pgm]", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst))); return; } } sport = EXTRACT_16BITS(&pgm->pgm_sport);
+ show +
38
39
40
41
42
43
44
45
46
47
dport = EXTRACT_16BITS(&pgm->pgm_dport); if (ip6) { if (ip6->ip6_nxt == IPPROTO_PGM) { ND_PRINT((ndo, "%s.%s > %s.%s: ", ip6addr_string(ndo, &ip6->ip6_src), tcpport_string(ndo, sport), ip6addr_string(ndo, &ip6->ip6_dst), tcpport_string(ndo, dport))); } else {

[tcpdump_CVE-2017-13034_1490303490_pgm_print.diff] pgm_print_OLD.c #2
* and stopping if we don't have enough. */ bp += (2 * sizeof(uint16_t)); + ND_TCHECK_16BITS(bp); switch (EXTRACT_16BITS(bp)) { case AFNUM_INET: ND_TCHECK2(*bp, sizeof(struct in_addr));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
208
209
210
211
212
213
214
215
216
217
addrtostr6(bp, source_buf, sizeof(source_buf)); bp += sizeof(struct in6_addr); break; default: goto trunc; break; } /* * Skip past the group, saving info along the way
+ show +
218
219
220
221
222
223
* and stopping if we don't have enough. */ bp += (2 * sizeof(uint16_t)); switch (EXTRACT_16BITS(bp)) { case AFNUM_INET: ND_TCHECK2(*bp, sizeof(struct in_addr));
+ show +
224
225
226
227
228
229
230
231
232
233
addrtostr(bp, group_buf, sizeof(group_buf)); bp += sizeof(struct in_addr); break; case AFNUM_INET6: ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, group_buf, sizeof(group_buf)); bp += sizeof(struct in6_addr); break; default: goto trunc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
208
209
210
211
212
213
214
215
216
217
addrtostr6(bp, source_buf, sizeof(source_buf)); bp += sizeof(struct in6_addr); break; default: goto trunc; break; } /* * Skip past the group, saving info along the way
+ show +
218
219
220
221
222
223
* and stopping if we don't have enough. */ bp += (2 * sizeof(uint16_t)); switch (EXTRACT_16BITS(bp)) { case AFNUM_INET: ND_TCHECK2(*bp, sizeof(struct in_addr));
+ show +
224
225
226
227
228
229
230
231
232
233
addrtostr(bp, group_buf, sizeof(group_buf)); bp += sizeof(struct in_addr); break; case AFNUM_INET6: ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, group_buf, sizeof(group_buf)); bp += sizeof(struct in6_addr); break; default: goto trunc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13034_before_imd_1490158185_pgm_print.c
208
209
210
211
212
213
214
215
216
217
addrtostr6(bp, source_buf, sizeof(source_buf)); bp += sizeof(struct in6_addr); break; default: goto trunc; break; } /* * Skip past the group, saving info along the way
+ show +
218
219
220
221
222
223
* and stopping if we don't have enough. */ bp += (2 * sizeof(uint16_t)); switch (EXTRACT_16BITS(bp)) { case AFNUM_INET: ND_TCHECK2(*bp, sizeof(struct in_addr));
+ show +
224
225
226
227
228
229
230
231
232
233
addrtostr(bp, group_buf, sizeof(group_buf)); bp += sizeof(struct in_addr); break; case AFNUM_INET6: ND_TCHECK2(*bp, sizeof(struct in6_addr)); addrtostr6(bp, group_buf, sizeof(group_buf)); bp += sizeof(struct in6_addr); break; default: goto trunc;

[tcpdump_CVE-2017-13021_1490162504_icmp6_print.diff] icmp6_print_OLD.c #1
if (ndo->ndo_vflag) { ND_TCHECK(dp->icmp6_data16[0]); ND_PRINT((ndo,", id 0x%04x", EXTRACT_16BITS(&dp->icmp6_data16[0]))); + ND_TCHECK(dp->icmp6_data16[1]); if (dp->icmp6_data16[1] & 0xc0) ND_PRINT((ndo," ")); if (dp->icmp6_data16[1] & 0x80)
.\cloneFuncs\totalClone\Type-1\CVE-2017-13021_before_1mo_1473623126_icmp6_print.c
253
254
255
256
257
258
259
260
261
262
ND_PRINT((ndo,", id 0x%04x", EXTRACT_16BITS(&dp->icmp6_data16[0]))); cp = (const u_char *)dp + length; in6 = (const struct in6_addr *)(dp + 1); for (; (const u_char *)in6 < cp; in6++) { ND_TCHECK(*in6); ND_PRINT((ndo,", %s", ip6addr_string(ndo, in6))); } } break; case ICMP6_MOBILEPREFIX_ADVERT:
+ show +
263
264
265
266
267
268
if (ndo->ndo_vflag) { ND_TCHECK(dp->icmp6_data16[0]); ND_PRINT((ndo,", id 0x%04x", EXTRACT_16BITS(&dp->icmp6_data16[0]))); if (dp->icmp6_data16[1] & 0xc0) ND_PRINT((ndo," ")); if (dp->icmp6_data16[1] & 0x80)
+ show +
269
270
271
272
273
274
275
276
277
278
ND_PRINT((ndo,"M")); if (dp->icmp6_data16[1] & 0x40) ND_PRINT((ndo,"O")); #define MPADVLEN 8 icmp6_opt_print(ndo, (const u_char *)dp + MPADVLEN, length - MPADVLEN); } break; case ND_RPL_MESSAGE: /* plus 4, because struct icmp6_hdr contains 4 bytes of icmp payload */

[tcpdump_CVE-2017-13022_1490162837_ip_optprint.diff] ip_optprint_OLD.c #1
case IPOPT_RR: /* fall through */ case IPOPT_SSRR: case IPOPT_LSRR: - ip_printroute(ndo, cp, option_len); + if (ip_printroute(ndo, cp, option_len) == -1) + goto trunc; break; case IPOPT_RA:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13022_before_1mo_1436060711_ip_optprint.c
38
39
40
41
42
43
44
45
46
47
ND_TCHECK2(*cp, option_len); switch (option_code) { case IPOPT_EOL: return; case IPOPT_TS: ip_printts(ndo, cp, option_len); break;
+ show +
48
49
50
51
52
53
54
case IPOPT_RR: /* fall through */ case IPOPT_SSRR: case IPOPT_LSRR: ip_printroute(ndo, cp, option_len); break; case IPOPT_RA:
+ show +
55
56
57
58
59
60
61
62
63
64
if (option_len < 4) { ND_PRINT((ndo, " [bad length %u]", option_len)); break; } ND_TCHECK(cp[3]); if (EXTRACT_16BITS(&cp[2]) != 0) ND_PRINT((ndo, " value %u", EXTRACT_16BITS(&cp[2]))); break; case IPOPT_NOP: /* nothing to print - fall through */

[tcpdump_CVE-2017-13037_1490406129_ip_optprint.diff] ip_optprint_OLD.c #1
return; case IPOPT_TS: - ip_printts(ndo, cp, option_len); + if (ip_printts(ndo, cp, option_len) == -1) + goto trunc; break; case IPOPT_RR: /* fall through */
.\cloneFuncs\totalClone\Type-1\CVE-2017-13022_before_1mo_1436060711_ip_optprint.c
32
33
34
35
36
37
38
39
40
41
if (option_len > length) { ND_PRINT((ndo, " [bad length %u]", option_len)); return; } ND_TCHECK2(*cp, option_len); switch (option_code) { case IPOPT_EOL:
+ show +
42
43
44
45
46
47
48
return; case IPOPT_TS: ip_printts(ndo, cp, option_len); break; case IPOPT_RR: /* fall through */
+ show +
49
50
51
52
53
54
55
56
57
58
case IPOPT_SSRR: case IPOPT_LSRR: ip_printroute(ndo, cp, option_len); break; case IPOPT_RA: if (option_len < 4) { ND_PRINT((ndo, " [bad length %u]", option_len)); break; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13037_before_imd_1490162837_ip_optprint.c
32
33
34
35
36
37
38
39
40
41
if (option_len > length) { ND_PRINT((ndo, " [bad length %u]", option_len)); return; } ND_TCHECK2(*cp, option_len); switch (option_code) { case IPOPT_EOL:
+ show +
42
43
44
45
46
47
48
return; case IPOPT_TS: ip_printts(ndo, cp, option_len); break; case IPOPT_RR: /* fall through */
+ show +
49
50
51
52
53
54
55
56
57
58
case IPOPT_SSRR: case IPOPT_LSRR: if (ip_printroute(ndo, cp, option_len) == -1) goto trunc; break; case IPOPT_RA: if (option_len < 4) { ND_PRINT((ndo, " [bad length %u]", option_len)); break;

[tcpdump_CVE-2017-13022_1490162837_ip_printroute.diff] ip_printroute_OLD.c #1
-static void +static int ip_printroute(netdissect_options *ndo, register const u_char *cp, u_int length) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13022_before_1mo_1436060711_ip_printroute.c
+ show +
1
2
3
4
static void ip_printroute(netdissect_options *ndo, register const u_char *cp, u_int length) {
+ show +
5
6
7
8
9
10
11
12
13
14
register u_int ptr; register u_int len; if (length < 3) { ND_PRINT((ndo, " [bad length %u]", length)); return; } if ((length + 1) & 3) ND_PRINT((ndo, " [bad length %u]", length)); ptr = cp[2] - 1;

[tcpdump_CVE-2017-13023_1490195305_mobility_opt_print.diff] mobility_opt_print_OLD.c #1
goto trunc; } /* units of 4 secs */ + ND_TCHECK_16BITS(&bp[i+2]); ND_PRINT((ndo, "(refresh: %u)", EXTRACT_16BITS(&bp[i+2]) << 2)); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13023_before_1mo_1471530894_mobility_opt_print.c
27
28
29
30
31
32
33
34
35
36
case IP6MOPT_PADN: if (len - i < IP6MOPT_MINLEN) { ND_PRINT((ndo, "(padn: trunc)")); goto trunc; } ND_PRINT((ndo, "(padn)")); break; case IP6MOPT_REFRESH: if (len - i < IP6MOPT_REFRESH_MINLEN) { ND_PRINT((ndo, "(refresh: trunc)"));
+ show +
37
38
39
40
41
42
goto trunc; } /* units of 4 secs */ ND_PRINT((ndo, "(refresh: %u)", EXTRACT_16BITS(&bp[i+2]) << 2)); break;
+ show +
43
44
45
46
47
48
49
50
51
52
case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) { ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID: if (len - i < IP6MOPT_NONCEID_MINLEN) { ND_PRINT((ndo, "(ni: trunc)"));
.\cloneFuncs\totalClone\Type-2\CVE-2017-13023_before_6mo_1471182139_mobility_opt_print.c
27
28
29
30
31
32
33
34
35
36
case IP6MOPT_PADN: if (len - i < IP6MOPT_MINLEN) { ND_PRINT((ndo, "(padn: trunc)")); goto trunc; } ND_PRINT((ndo, "(padn)")); break; case IP6MOPT_REFRESH: if (len - i < IP6MOPT_REFRESH_MINLEN) { ND_PRINT((ndo, "(refresh: trunc)"));
+ show +
37
38
39
40
41
42
goto trunc; } /* units of 4 secs */ ND_PRINT((ndo, "(refresh: %u)", EXTRACT_16BITS(&bp[i+2]) << 2)); break;
+ show +
43
44
45
46
47
48
49
50
51
52
case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) { ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID: if (len - i < IP6MOPT_NONCEID_MINLEN) { ND_PRINT((ndo, "(ni: trunc)"));

[tcpdump_CVE-2017-13024_1490196468_mobility_opt_print.diff] mobility_opt_print_OLD.c #1
ND_PRINT((ndo, "(ni: trunc)")); goto trunc; } + ND_TCHECK_16BITS(&bp[i+2]); + ND_TCHECK_16BITS(&bp[i+4]); ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)", EXTRACT_16BITS(&bp[i+2]), EXTRACT_16BITS(&bp[i+4])));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13023_before_1mo_1471530894_mobility_opt_print.c
42
43
44
45
46
47
48
49
50
51
break; case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) { ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID: if (len - i < IP6MOPT_NONCEID_MINLEN) {
+ show +
52
53
54
55
56
57
ND_PRINT((ndo, "(ni: trunc)")); goto trunc; } ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)", EXTRACT_16BITS(&bp[i+2]), EXTRACT_16BITS(&bp[i+4])));
+ show +
58
59
60
61
62
63
64
65
66
67
break; case IP6MOPT_AUTH: if (len - i < IP6MOPT_AUTH_MINLEN) { ND_PRINT((ndo, "(auth: trunc)")); goto trunc; } ND_PRINT((ndo, "(auth)")); break; default: if (len - i < IP6MOPT_MINLEN) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13024_before_imd_1490195305_mobility_opt_print.c
43
44
45
46
47
48
49
50
51
52
break; case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) { ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID: if (len - i < IP6MOPT_NONCEID_MINLEN) {
+ show +
53
54
55
56
57
58
ND_PRINT((ndo, "(ni: trunc)")); goto trunc; } ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)", EXTRACT_16BITS(&bp[i+2]), EXTRACT_16BITS(&bp[i+4])));
+ show +
59
60
61
62
63
64
65
66
67
68
break; case IP6MOPT_AUTH: if (len - i < IP6MOPT_AUTH_MINLEN) { ND_PRINT((ndo, "(auth: trunc)")); goto trunc; } ND_PRINT((ndo, "(auth)")); break; default: if (len - i < IP6MOPT_MINLEN) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13023_before_6mo_1471182139_mobility_opt_print.c
42
43
44
45
46
47
48
49
50
51
break; case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) { ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID: if (len - i < IP6MOPT_NONCEID_MINLEN) {
+ show +
52
53
54
55
56
57
ND_PRINT((ndo, "(ni: trunc)")); goto trunc; } ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)", EXTRACT_16BITS(&bp[i+2]), EXTRACT_16BITS(&bp[i+4])));
+ show +
58
59
60
61
62
63
64
65
66
67
break; case IP6MOPT_AUTH: if (len - i < IP6MOPT_AUTH_MINLEN) { ND_PRINT((ndo, "(auth: trunc)")); goto trunc; } ND_PRINT((ndo, "(auth)")); break; default: if (len - i < IP6MOPT_MINLEN) {

[tcpdump_CVE-2017-13025_1490198867_mobility_opt_print.diff] mobility_opt_print_OLD.c #1
ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } + ND_TCHECK_128BITS(&bp[i+2]); ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13023_before_1mo_1471530894_mobility_opt_print.c
35
36
37
38
39
40
41
42
43
44
if (len - i < IP6MOPT_REFRESH_MINLEN) { ND_PRINT((ndo, "(refresh: trunc)")); goto trunc; } /* units of 4 secs */ ND_PRINT((ndo, "(refresh: %u)", EXTRACT_16BITS(&bp[i+2]) << 2)); break; case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) {
+ show +
45
46
47
48
49
50
ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID:
+ show +
51
52
53
54
55
56
57
58
59
60
if (len - i < IP6MOPT_NONCEID_MINLEN) { ND_PRINT((ndo, "(ni: trunc)")); goto trunc; } ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)", EXTRACT_16BITS(&bp[i+2]), EXTRACT_16BITS(&bp[i+4]))); break; case IP6MOPT_AUTH: if (len - i < IP6MOPT_AUTH_MINLEN) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13024_before_imd_1490195305_mobility_opt_print.c
36
37
38
39
40
41
42
43
44
45
ND_PRINT((ndo, "(refresh: trunc)")); goto trunc; } /* units of 4 secs */ ND_TCHECK_16BITS(&bp[i+2]); ND_PRINT((ndo, "(refresh: %u)", EXTRACT_16BITS(&bp[i+2]) << 2)); break; case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) {
+ show +
46
47
48
49
50
51
ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID:
+ show +
52
53
54
55
56
57
58
59
60
61
if (len - i < IP6MOPT_NONCEID_MINLEN) { ND_PRINT((ndo, "(ni: trunc)")); goto trunc; } ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)", EXTRACT_16BITS(&bp[i+2]), EXTRACT_16BITS(&bp[i+4]))); break; case IP6MOPT_AUTH: if (len - i < IP6MOPT_AUTH_MINLEN) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13025_before_imd_1490196468_mobility_opt_print.c
36
37
38
39
40
41
42
43
44
45
ND_PRINT((ndo, "(refresh: trunc)")); goto trunc; } /* units of 4 secs */ ND_TCHECK_16BITS(&bp[i+2]); ND_PRINT((ndo, "(refresh: %u)", EXTRACT_16BITS(&bp[i+2]) << 2)); break; case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) {
+ show +
46
47
48
49
50
51
ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID:
+ show +
52
53
54
55
56
57
58
59
60
61
if (len - i < IP6MOPT_NONCEID_MINLEN) { ND_PRINT((ndo, "(ni: trunc)")); goto trunc; } ND_TCHECK_16BITS(&bp[i+2]); ND_TCHECK_16BITS(&bp[i+4]); ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)", EXTRACT_16BITS(&bp[i+2]), EXTRACT_16BITS(&bp[i+4]))); break;
.\cloneFuncs\totalClone\Type-2\CVE-2017-13023_before_6mo_1471182139_mobility_opt_print.c
35
36
37
38
39
40
41
42
43
44
if (len - i < IP6MOPT_REFRESH_MINLEN) { ND_PRINT((ndo, "(refresh: trunc)")); goto trunc; } /* units of 4 secs */ ND_PRINT((ndo, "(refresh: %u)", EXTRACT_16BITS(&bp[i+2]) << 2)); break; case IP6MOPT_ALTCOA: if (len - i < IP6MOPT_ALTCOA_MINLEN) {
+ show +
45
46
47
48
49
50
ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID:
+ show +
51
52
53
54
55
56
57
58
59
60
if (len - i < IP6MOPT_NONCEID_MINLEN) { ND_PRINT((ndo, "(ni: trunc)")); goto trunc; } ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)", EXTRACT_16BITS(&bp[i+2]), EXTRACT_16BITS(&bp[i+4]))); break; case IP6MOPT_AUTH: if (len - i < IP6MOPT_AUTH_MINLEN) {

[tcpdump_CVE-2017-13028_1490207824_bootp_print.diff] bootp_print_OLD.c #1
if (EXTRACT_16BITS(&bp->bp_secs)) ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs))); + ND_TCHECK(bp->bp_flags); ND_PRINT((ndo, ", Flags [%s]", bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags)))); if (ndo->ndo_vflag > 1)
.\cloneFuncs\totalClone\Type-1\CVE-2017-13028_before_1mo_1482526406_bootp_print.c
31
32
33
34
35
36
37
38
39
40
/* The usual length for 10Mb Ethernet address is 6 bytes */ if (bp->bp_htype != 1 || bp->bp_hlen != 6) ND_PRINT((ndo, ", hlen %d", bp->bp_hlen)); /* Only print interesting fields */ if (bp->bp_hops) ND_PRINT((ndo, ", hops %d", bp->bp_hops)); if (EXTRACT_32BITS(&bp->bp_xid)) ND_PRINT((ndo, ", xid 0x%x", EXTRACT_32BITS(&bp->bp_xid)));
+ show +
41
42
43
44
45
46
if (EXTRACT_16BITS(&bp->bp_secs)) ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs))); ND_PRINT((ndo, ", Flags [%s]", bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags)))); if (ndo->ndo_vflag > 1)
+ show +
47
48
49
50
51
52
53
54
55
56
ND_PRINT((ndo, " (0x%04x)", EXTRACT_16BITS(&bp->bp_flags))); /* Client's ip address */ ND_TCHECK(bp->bp_ciaddr); if (EXTRACT_32BITS(&bp->bp_ciaddr.s_addr)) ND_PRINT((ndo, "\n\t Client-IP %s", ipaddr_string(ndo, &bp->bp_ciaddr))); /* 'your' ip address (bootp client) */ ND_TCHECK(bp->bp_yiaddr); if (EXTRACT_32BITS(&bp->bp_yiaddr.s_addr))
.\cloneFuncs\totalClone\Type-1\CVE-2017-5203_before_imd_1437438221_bootp_print.c
30
31
32
33
34
35
36
37
38
39
/* The usual length for 10Mb Ethernet address is 6 bytes */ if (bp->bp_htype != 1 || bp->bp_hlen != 6) ND_PRINT((ndo, ", hlen %d", bp->bp_hlen)); /* Only print interesting fields */ if (bp->bp_hops) ND_PRINT((ndo, ", hops %d", bp->bp_hops)); if (EXTRACT_32BITS(&bp->bp_xid)) ND_PRINT((ndo, ", xid 0x%x", EXTRACT_32BITS(&bp->bp_xid)));
+ show +
40
41
42
43
44
45
if (EXTRACT_16BITS(&bp->bp_secs)) ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs))); ND_PRINT((ndo, ", Flags [%s]", bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags)))); if (ndo->ndo_vflag > 1)
+ show +
46
47
48
49
50
51
52
53
54
55
ND_PRINT((ndo, " (0x%04x)", EXTRACT_16BITS(&bp->bp_flags))); /* Client's ip address */ ND_TCHECK(bp->bp_ciaddr); if (EXTRACT_32BITS(&bp->bp_ciaddr.s_addr)) ND_PRINT((ndo, "\n\t Client-IP %s", ipaddr_string(ndo, &bp->bp_ciaddr))); /* 'your' ip address (bootp client) */ ND_TCHECK(bp->bp_yiaddr); if (EXTRACT_32BITS(&bp->bp_yiaddr.s_addr))
.\cloneFuncs\totalClone\Type-3\CVE-2017-13028_before_6mo_1471267648_bootp_print.c
30
31
32
33
34
35
36
37
38
39
/* The usual length for 10Mb Ethernet address is 6 bytes */ if (bp->bp_htype != 1 || bp->bp_hlen != 6) ND_PRINT((ndo, ", hlen %d", bp->bp_hlen)); /* Only print interesting fields */ if (bp->bp_hops) ND_PRINT((ndo, ", hops %d", bp->bp_hops)); if (EXTRACT_32BITS(&bp->bp_xid)) ND_PRINT((ndo, ", xid 0x%x", EXTRACT_32BITS(&bp->bp_xid)));
+ show +
40
41
42
43
44
45
if (EXTRACT_16BITS(&bp->bp_secs)) ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs))); ND_PRINT((ndo, ", Flags [%s]", bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags)))); if (ndo->ndo_vflag > 1)
+ show +
46
47
48
49
50
51
52
53
54
55
ND_PRINT((ndo, " (0x%04x)", EXTRACT_16BITS(&bp->bp_flags))); /* Client's ip address */ ND_TCHECK(bp->bp_ciaddr); if (EXTRACT_32BITS(&bp->bp_ciaddr.s_addr)) ND_PRINT((ndo, "\n\t Client-IP %s", ipaddr_string(ndo, &bp->bp_ciaddr))); /* 'your' ip address (bootp client) */ ND_TCHECK(bp->bp_yiaddr); if (EXTRACT_32BITS(&bp->bp_yiaddr.s_addr))

[tcpdump_CVE-2017-13029_1490208486_print_bacp_config_options.diff] print_bacp_config_options_OLD.c #1
ND_PRINT((ndo, " (length bogus, should be = 6)")); return len; } - ND_TCHECK2(*(p + 2), 4); + ND_TCHECK_32BITS(p + 2); ND_PRINT((ndo, ": Magic-Num 0x%08x", EXTRACT_32BITS(p + 2))); break; default:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_bacp_config_options.c
20
21
22
23
24
25
26
27
28
29
} ND_PRINT((ndo, "\n\t %s Option (0x%02x), length %u", tok2str(bacconfopts_values, "Unknown", opt), opt, len)); switch (opt) { case BACPOPT_FPEER: if (len != 6) {
+ show +
30
31
32
33
34
35
36
ND_PRINT((ndo, " (length bogus, should be = 6)")); return len; } ND_TCHECK2(*(p + 2), 4); ND_PRINT((ndo, ": Magic-Num 0x%08x", EXTRACT_32BITS(p + 2))); break; default:
+ show +
37
38
39
40
41
42
43
44
45
46
/* * Unknown option; dump it as raw bytes now if we're * not going to do so below. */ if (ndo->ndo_vflag < 2) print_unknown_data(ndo, &p[2], "\n\t ", len - 2); break; } if (ndo->ndo_vflag > 1) print_unknown_data(ndo, &p[2], "\n\t ", len - 2); /* exclude TLV header */

[tcpdump_CVE-2017-13029_1490208486_print_ipcp_config_options.diff] print_ipcp_config_options_OLD.c #1
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return 0; } - ND_TCHECK2(*(p + 2), 2); + ND_TCHECK_16BITS(p+2); compproto = EXTRACT_16BITS(p+2); ND_PRINT((ndo, ": %s (0x%02x):",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_ipcp_config_options.c
31
32
33
34
35
36
37
38
39
40
ND_PRINT((ndo, " (length bogus, should be = 10)")); return len; } ND_TCHECK2(*(p + 6), 4); ND_PRINT((ndo, ": src %s, dst %s", ipaddr_string(ndo, p + 2), ipaddr_string(ndo, p + 6))); break; case IPCPOPT_IPCOMP: if (len < 4) {
+ show +
41
42
43
44
45
46
47
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return 0; } ND_TCHECK2(*(p + 2), 2); compproto = EXTRACT_16BITS(p+2); ND_PRINT((ndo, ": %s (0x%02x):",
+ show +
48
49
50
51
52
53
54
55
56
57
tok2str(ipcpopt_compproto_values, "Unknown", compproto), compproto)); switch (compproto) { case PPP_VJC: /* XXX: VJ-Comp parameters should be decoded */ break; case IPCPOPT_IPCOMP_HDRCOMP: if (len < IPCPOPT_IPCOMP_MINLEN) { ND_PRINT((ndo, " (length bogus, should be >= %u)",

[tcpdump_CVE-2017-13029_1490208486_print_lcp_config_options.diff] print_lcp_config_options_OLD.c #1
ND_PRINT((ndo, " (length bogus, should be >= 6)")); return len; } - ND_TCHECK2(*(p + 2), 3); + ND_TCHECK_24BITS(p + 2); ND_PRINT((ndo, ": Vendor: %s (%u)", tok2str(oui_values,"Unknown",EXTRACT_24BITS(p+2)), EXTRACT_24BITS(p + 2)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_lcp_config_options.c
22
23
24
25
26
27
28
29
30
31
if ((opt >= LCPOPT_MIN) && (opt <= LCPOPT_MAX)) ND_PRINT((ndo, "\n\t %s Option (0x%02x), length %u", lcpconfopts[opt], opt, len)); else { ND_PRINT((ndo, "\n\tunknown LCP option 0x%02x", opt)); return len; } switch (opt) { case LCPOPT_VEXT: if (len < 6) {
+ show +
32
33
34
35
36
37
38
ND_PRINT((ndo, " (length bogus, should be >= 6)")); return len; } ND_TCHECK2(*(p + 2), 3); ND_PRINT((ndo, ": Vendor: %s (%u)", tok2str(oui_values,"Unknown",EXTRACT_24BITS(p+2)), EXTRACT_24BITS(p + 2)));
+ show +
39
40
41
42
43
44
45
46
47
48
#if 0 ND_TCHECK(p[5]); ND_PRINT((ndo, ", kind: 0x%02x", p[5])); ND_PRINT((ndo, ", Value: 0x")); for (i = 0; i < len - 6; i++) { ND_TCHECK(p[6 + i]); ND_PRINT((ndo, "%02x", p[6 + i])); } #endif break;

[tcpdump_CVE-2017-13029_1490208486_print_lcp_config_options.diff] print_lcp_config_options_OLD.c #2
ND_PRINT((ndo, " (length bogus, should be = 4)")); return len; } - ND_TCHECK2(*(p + 2), 2); + ND_TCHECK_16BITS(p + 2); ND_PRINT((ndo, ": %u", EXTRACT_16BITS(p + 2))); break; case LCPOPT_ACCM:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_lcp_config_options.c
41
42
43
44
45
46
47
48
49
50
ND_PRINT((ndo, ", kind: 0x%02x", p[5])); ND_PRINT((ndo, ", Value: 0x")); for (i = 0; i < len - 6; i++) { ND_TCHECK(p[6 + i]); ND_PRINT((ndo, "%02x", p[6 + i])); } #endif break; case LCPOPT_MRU: if (len != 4) {
+ show +
51
52
53
54
55
56
57
ND_PRINT((ndo, " (length bogus, should be = 4)")); return len; } ND_TCHECK2(*(p + 2), 2); ND_PRINT((ndo, ": %u", EXTRACT_16BITS(p + 2))); break; case LCPOPT_ACCM:
+ show +
58
59
60
61
62
63
64
65
66
67
if (len != 6) { ND_PRINT((ndo, " (length bogus, should be = 6)")); return len; } ND_TCHECK2(*(p + 2), 4); ND_PRINT((ndo, ": 0x%08x", EXTRACT_32BITS(p + 2))); break; case LCPOPT_AP: if (len < 4) { ND_PRINT((ndo, " (length bogus, should be >= 4)"));

[tcpdump_CVE-2017-13029_1490208486_print_lcp_config_options.diff] print_lcp_config_options_OLD.c #3
ND_PRINT((ndo, " (length bogus, should be = 6)")); return len; } - ND_TCHECK2(*(p + 2), 4); + ND_TCHECK_32BITS(p + 2); ND_PRINT((ndo, ": 0x%08x", EXTRACT_32BITS(p + 2))); break; case LCPOPT_AP:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_lcp_config_options.c
49
50
51
52
53
54
55
56
57
58
case LCPOPT_MRU: if (len != 4) { ND_PRINT((ndo, " (length bogus, should be = 4)")); return len; } ND_TCHECK2(*(p + 2), 2); ND_PRINT((ndo, ": %u", EXTRACT_16BITS(p + 2))); break; case LCPOPT_ACCM: if (len != 6) {
+ show +
59
60
61
62
63
64
65
ND_PRINT((ndo, " (length bogus, should be = 6)")); return len; } ND_TCHECK2(*(p + 2), 4); ND_PRINT((ndo, ": 0x%08x", EXTRACT_32BITS(p + 2))); break; case LCPOPT_AP:
+ show +
66
67
68
69
70
71
72
73
74
75
if (len < 4) { ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 2); ND_PRINT((ndo, ": %s", tok2str(ppptype2str, "Unknown Auth Proto (0x04x)", EXTRACT_16BITS(p + 2)))); switch (EXTRACT_16BITS(p+2)) { case PPP_CHAP: ND_TCHECK(p[4]);

[tcpdump_CVE-2017-13029_1490208486_print_lcp_config_options.diff] print_lcp_config_options_OLD.c #4
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } - ND_TCHECK2(*(p + 2), 2); + ND_TCHECK_16BITS(p + 2); ND_PRINT((ndo, ": %s", tok2str(ppptype2str, "Unknown Auth Proto (0x04x)", EXTRACT_16BITS(p + 2)))); switch (EXTRACT_16BITS(p+2)) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_lcp_config_options.c
57
58
59
60
61
62
63
64
65
66
case LCPOPT_ACCM: if (len != 6) { ND_PRINT((ndo, " (length bogus, should be = 6)")); return len; } ND_TCHECK2(*(p + 2), 4); ND_PRINT((ndo, ": 0x%08x", EXTRACT_32BITS(p + 2))); break; case LCPOPT_AP: if (len < 4) {
+ show +
67
68
69
70
71
72
73
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 2); ND_PRINT((ndo, ": %s", tok2str(ppptype2str, "Unknown Auth Proto (0x04x)", EXTRACT_16BITS(p + 2)))); switch (EXTRACT_16BITS(p+2)) {
+ show +
74
75
76
77
78
79
80
81
82
83
case PPP_CHAP: ND_TCHECK(p[4]); ND_PRINT((ndo, ", %s", tok2str(authalg_values, "Unknown Auth Alg %u", p[4]))); break; case PPP_PAP: /* fall through */ case PPP_EAP: case PPP_SPAP: case PPP_SPAP_OLD: break; default:

[tcpdump_CVE-2017-13029_1490208486_print_lcp_config_options.diff] print_lcp_config_options_OLD.c #5
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return 0; } - ND_TCHECK2(*(p + 2), 2); + ND_TCHECK_16BITS(p+2); if (EXTRACT_16BITS(p+2) == PPP_LQM) ND_PRINT((ndo, ": LQR")); else
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_lcp_config_options.c
79
80
81
82
83
84
85
86
87
88
case PPP_EAP: case PPP_SPAP: case PPP_SPAP_OLD: break; default: print_unknown_data(ndo, p, "\n\t", len); } break; case LCPOPT_QP: if (len < 4) {
+ show +
89
90
91
92
93
94
95
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return 0; } ND_TCHECK2(*(p + 2), 2); if (EXTRACT_16BITS(p+2) == PPP_LQM) ND_PRINT((ndo, ": LQR")); else
+ show +
96
97
98
99
100
101
102
103
104
105
ND_PRINT((ndo, ": unknown")); break; case LCPOPT_MN: if (len != 6) { ND_PRINT((ndo, " (length bogus, should be = 6)")); return 0; } ND_TCHECK2(*(p + 2), 4); ND_PRINT((ndo, ": 0x%08x", EXTRACT_32BITS(p + 2))); break;

[tcpdump_CVE-2017-13029_1490208486_print_lcp_config_options.diff] print_lcp_config_options_OLD.c #6
ND_PRINT((ndo, " (length bogus, should be = 6)")); return 0; } - ND_TCHECK2(*(p + 2), 4); + ND_TCHECK_32BITS(p + 2); ND_PRINT((ndo, ": 0x%08x", EXTRACT_32BITS(p + 2))); break; case LCPOPT_PFC:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_lcp_config_options.c
90
91
92
93
94
95
96
97
98
99
return 0; } ND_TCHECK2(*(p + 2), 2); if (EXTRACT_16BITS(p+2) == PPP_LQM) ND_PRINT((ndo, ": LQR")); else ND_PRINT((ndo, ": unknown")); break; case LCPOPT_MN: if (len != 6) {
+ show +
100
101
102
103
104
105
106
ND_PRINT((ndo, " (length bogus, should be = 6)")); return 0; } ND_TCHECK2(*(p + 2), 4); ND_PRINT((ndo, ": 0x%08x", EXTRACT_32BITS(p + 2))); break; case LCPOPT_PFC:
+ show +
107
108
109
110
111
112
113
114
115
116
break; case LCPOPT_ACFC: break; case LCPOPT_LD: if (len != 4) { ND_PRINT((ndo, " (length bogus, should be = 4)")); return 0; } ND_TCHECK2(*(p + 2), 2); ND_PRINT((ndo, ": 0x%04x", EXTRACT_16BITS(p + 2)));

[tcpdump_CVE-2017-13029_1490208486_print_lcp_config_options.diff] print_lcp_config_options_OLD.c #7
ND_PRINT((ndo, " (length bogus, should be = 4)")); return 0; } - ND_TCHECK2(*(p + 2), 2); + ND_TCHECK_16BITS(p + 2); ND_PRINT((ndo, ": 0x%04x", EXTRACT_16BITS(p + 2))); break; case LCPOPT_CBACK:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_lcp_config_options.c
102
103
104
105
106
107
108
109
110
111
} ND_TCHECK2(*(p + 2), 4); ND_PRINT((ndo, ": 0x%08x", EXTRACT_32BITS(p + 2))); break; case LCPOPT_PFC: break; case LCPOPT_ACFC: break; case LCPOPT_LD: if (len != 4) {
+ show +
112
113
114
115
116
117
118
ND_PRINT((ndo, " (length bogus, should be = 4)")); return 0; } ND_TCHECK2(*(p + 2), 2); ND_PRINT((ndo, ": 0x%04x", EXTRACT_16BITS(p + 2))); break; case LCPOPT_CBACK:
+ show +
119
120
121
122
123
124
125
126
127
128
if (len < 3) { ND_PRINT((ndo, " (length bogus, should be >= 3)")); return 0; } ND_PRINT((ndo, ": ")); ND_TCHECK(p[2]); ND_PRINT((ndo, ": Callback Operation %s (%u)", tok2str(ppp_callback_values, "Unknown", p[2]), p[2])); break;

[tcpdump_CVE-2017-13029_1490208486_print_lcp_config_options.diff] print_lcp_config_options_OLD.c #8
ND_PRINT((ndo, " (length bogus, should be = 4)")); return 0; } - ND_TCHECK2(*(p + 2), 2); + ND_TCHECK_16BITS(p + 2); ND_PRINT((ndo, ": %u", EXTRACT_16BITS(p + 2))); break; case LCPOPT_MLED:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_1mo_1435949729_print_lcp_config_options.c
121
122
123
124
125
126
127
128
129
130
return 0; } ND_PRINT((ndo, ": ")); ND_TCHECK(p[2]); ND_PRINT((ndo, ": Callback Operation %s (%u)", tok2str(ppp_callback_values, "Unknown", p[2]), p[2])); break; case LCPOPT_MLMRRU: if (len != 4) {
+ show +
131
132
133
134
135
136
137
ND_PRINT((ndo, " (length bogus, should be = 4)")); return 0; } ND_TCHECK2(*(p + 2), 2); ND_PRINT((ndo, ": %u", EXTRACT_16BITS(p + 2))); break; case LCPOPT_MLED:
+ show +
138
139
140
141
142
143
144
145
146
147
if (len < 3) { ND_PRINT((ndo, " (length bogus, should be >= 3)")); return 0; } ND_TCHECK(p[2]); switch (p[2]) { /* class */ case MEDCLASS_NULL: ND_PRINT((ndo, ": Null")); break; case MEDCLASS_LOCAL:

[tcpdump_CVE-2017-13029_1490208486_print_ccp_config_options.diff] print_ccp_config_options_OLD.c #1
ND_PRINT((ndo, " (length bogus, should be >= 3)")); return len; } - ND_TCHECK2(*(p + 2), 1); + ND_TCHECK(p[2]); ND_PRINT((ndo, ": Version: %u, Dictionary Bits: %u", p[2] >> 5, p[2] & 0x1f)); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_imd_1486153454_print_ccp_config_options.c
20
21
22
23
24
25
26
27
28
29
} ND_PRINT((ndo, "\n\t %s Option (0x%02x), length %u", tok2str(ccpconfopts_values, "Unknown", opt), opt, len)); switch (opt) { case CCPOPT_BSDCOMP: if (len < 3) {
+ show +
30
31
32
33
34
35
36
ND_PRINT((ndo, " (length bogus, should be >= 3)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Version: %u, Dictionary Bits: %u", p[2] >> 5, p[2] & 0x1f)); break;
+ show +
37
38
39
40
41
42
43
44
45
46
case CCPOPT_MVRCA: if (len < 4) { ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Features: %u, PxP: %s, History: %u, #CTX-ID: %u", (p[2] & 0xc0) >> 6, (p[2] & 0x20) ? "Enabled" : "Disabled", p[2] & 0x1f, p[3]));
.\cloneFuncs\totalClone\Type-2\CVE-2017-13029_before_1mo_1435949729_print_ccp_config_options.c
20
21
22
23
24
25
26
27
28
29
} ND_PRINT((ndo, "\n\t %s Option (0x%02x), length %u", tok2str(ccpconfopts_values, "Unknown", opt), opt, len)); switch (opt) { case CCPOPT_BSDCOMP: if (len < 3) {
+ show +
30
31
32
33
34
35
36
ND_PRINT((ndo, " (length bogus, should be >= 3)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Version: %u, Dictionary Bits: %u", p[2] >> 5, p[2] & 0x1f)); break;
+ show +
37
38
39
40
41
42
43
44
45
46
case CCPOPT_MVRCA: if (len < 4) { ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Features: %u, PxP: %s, History: %u, #CTX-ID: %u", (p[2] & 0xc0) >> 6, (p[2] & 0x20) ? "Enabled" : "Disabled", p[2] & 0x1f, p[3]));

[tcpdump_CVE-2017-13029_1490208486_print_ccp_config_options.diff] print_ccp_config_options_OLD.c #2
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } - ND_TCHECK2(*(p + 2), 1); + ND_TCHECK(p[3]); ND_PRINT((ndo, ": Features: %u, PxP: %s, History: %u, #CTX-ID: %u", (p[2] & 0xc0) >> 6, (p[2] & 0x20) ? "Enabled" : "Disabled",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_imd_1486153454_print_ccp_config_options.c
29
30
31
32
33
34
35
36
37
38
if (len < 3) { ND_PRINT((ndo, " (length bogus, should be >= 3)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Version: %u, Dictionary Bits: %u", p[2] >> 5, p[2] & 0x1f)); break; case CCPOPT_MVRCA: if (len < 4) {
+ show +
39
40
41
42
43
44
45
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Features: %u, PxP: %s, History: %u, #CTX-ID: %u", (p[2] & 0xc0) >> 6, (p[2] & 0x20) ? "Enabled" : "Disabled",
+ show +
46
47
48
49
50
51
52
53
54
55
p[2] & 0x1f, p[3])); break; case CCPOPT_DEFLATE: if (len < 4) { ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Window: %uK, Method: %s (0x%x), MBZ: %u, CHK: %u", (p[2] & 0xf0) >> 4,
.\cloneFuncs\totalClone\Type-2\CVE-2017-13029_before_1mo_1435949729_print_ccp_config_options.c
29
30
31
32
33
34
35
36
37
38
if (len < 3) { ND_PRINT((ndo, " (length bogus, should be >= 3)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Version: %u, Dictionary Bits: %u", p[2] >> 5, p[2] & 0x1f)); break; case CCPOPT_MVRCA: if (len < 4) {
+ show +
39
40
41
42
43
44
45
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Features: %u, PxP: %s, History: %u, #CTX-ID: %u", (p[2] & 0xc0) >> 6, (p[2] & 0x20) ? "Enabled" : "Disabled",
+ show +
46
47
48
49
50
51
52
53
54
55
p[2] & 0x1f, p[3])); break; case CCPOPT_DEFLATE: if (len < 4) { ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Window: %uK, Method: %s (0x%x), MBZ: %u, CHK: %u", (p[2] & 0xf0) >> 4,

[tcpdump_CVE-2017-13029_1490208486_print_ccp_config_options.diff] print_ccp_config_options_OLD.c #3
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } - ND_TCHECK2(*(p + 2), 1); + ND_TCHECK(p[3]); ND_PRINT((ndo, ": Window: %uK, Method: %s (0x%x), MBZ: %u, CHK: %u", (p[2] & 0xf0) >> 4, ((p[2] & 0x0f) == 8) ? "zlib" : "unknown",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13029_before_imd_1486153454_print_ccp_config_options.c
40
41
42
43
44
45
46
47
48
49
return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Features: %u, PxP: %s, History: %u, #CTX-ID: %u", (p[2] & 0xc0) >> 6, (p[2] & 0x20) ? "Enabled" : "Disabled", p[2] & 0x1f, p[3])); break; case CCPOPT_DEFLATE: if (len < 4) {
+ show +
50
51
52
53
54
55
56
ND_PRINT((ndo, " (length bogus, should be >= 4)")); return len; } ND_TCHECK2(*(p + 2), 1); ND_PRINT((ndo, ": Window: %uK, Method: %s (0x%x), MBZ: %u, CHK: %u", (p[2] & 0xf0) >> 4, ((p[2] & 0x0f) == 8) ? "zlib" : "unknown",
+ show +
57
58
59
60
61
62
63
64
65
66
p[2] & 0x0f, (p[3] & 0xfc) >> 2, p[3] & 0x03)); break; /* XXX: to be supported */ #if 0 case CCPOPT_OUI: case CCPOPT_PRED1: case CCPOPT_PRED2: case CCPOPT_PJUMP: case CCPOPT_HPPPC:

[tcpdump_CVE-2017-13030_1490216968_cisco_autorp_print.diff] cisco_autorp_print_OLD.c #1
int numrps; int hold; + if (len < 8) + goto trunc; ND_TCHECK(bp[0]); ND_PRINT((ndo, " auto-rp ")); type = bp[0];
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_cisco_autorp_print.c
1
2
3
4
5
void cisco_autorp_print(netdissect_options *ndo, register const u_char *bp, register u_int len) { int type;
+ show +
6
7
8
9
10
11
int numrps; int hold; ND_TCHECK(bp[0]); ND_PRINT((ndo, " auto-rp ")); type = bp[0];
+ show +
12
13
14
15
16
17
18
19
20
21
switch (type) { case 0x11: ND_PRINT((ndo, "candidate-advert")); break; case 0x12: ND_PRINT((ndo, "mapping")); break; default: ND_PRINT((ndo, "type-0x%02x", type)); break;
.\cloneFuncs\totalClone\Type-2\CVE-2017-13030_before_6mo_1471182139_cisco_autorp_print.c
1
2
3
4
5
void cisco_autorp_print(netdissect_options *ndo, register const u_char *bp, register u_int len) { int type;
+ show +
6
7
8
9
10
11
int numrps; int hold; ND_TCHECK(bp[0]); ND_PRINT((ndo, " auto-rp ")); type = bp[0];
+ show +
12
13
14
15
16
17
18
19
20
21
switch (type) { case 0x11: ND_PRINT((ndo, "candidate-advert")); break; case 0x12: ND_PRINT((ndo, "mapping")); break; default: ND_PRINT((ndo, "type-0x%02x", type)); break;

[tcpdump_CVE-2017-13030_1490216968_cisco_autorp_print.diff] cisco_autorp_print_OLD.c #2
int nentries; char s; + if (len < 4) + goto trunc; ND_TCHECK2(bp[0], 4); ND_PRINT((ndo, " RP %s", ipaddr_string(ndo, bp))); - ND_TCHECK(bp[4]); - switch (bp[4] & 0x3) { + bp += 4; + len -= 4; + if (len < 1) + goto trunc; + ND_TCHECK(bp[0]); + switch (bp[0] & 0x3) { case 0: ND_PRINT((ndo, " PIMv?")); break; case 1: ND_PRINT((ndo, " PIMv1"));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_cisco_autorp_print.c
43
44
45
46
47
48
49
50
51
52
* numrps entries of the form: * 32 bits: RP * 6 bits: reserved * 2 bits: PIM version supported, bit 0 is "supports v1", 1 is "v2". * 8 bits: # of entries for this RP * each entry: 7 bits: reserved, 1 bit: negative, * 8 bits: mask 32 bits: source * lather, rinse, repeat. */ while (numrps--) {
+ show +
53
54
55
56
57
58
59
60
61
62
int nentries; char s; ND_TCHECK2(bp[0], 4); ND_PRINT((ndo, " RP %s", ipaddr_string(ndo, bp))); ND_TCHECK(bp[4]); switch (bp[4] & 0x3) { case 0: ND_PRINT((ndo, " PIMv?")); break; case 1: ND_PRINT((ndo, " PIMv1"));
+ show +
63
64
65
66
67
68
69
70
71
72
break; case 2: ND_PRINT((ndo, " PIMv2")); break; case 3: ND_PRINT((ndo, " PIMv1+2")); break; } if (bp[4] & 0xfc) ND_PRINT((ndo, " [rsvd=0x%02x]", bp[4] & 0xfc)); ND_TCHECK(bp[5]); nentries = bp[5];
.\cloneFuncs\totalClone\Type-2\CVE-2017-13030_before_6mo_1471182139_cisco_autorp_print.c
43
44
45
46
47
48
49
50
51
52
* numrps entries of the form: * 32 bits: RP * 6 bits: reserved * 2 bits: PIM version supported, bit 0 is "supports v1", 1 is "v2". * 8 bits: # of entries for this RP * each entry: 7 bits: reserved, 1 bit: negative, * 8 bits: mask 32 bits: source * lather, rinse, repeat. */ while (numrps--) {
+ show +
53
54
55
56
57
58
59
60
61
62
int nentries; char s; ND_TCHECK2(bp[0], 4); ND_PRINT((ndo, " RP %s", ipaddr_string(ndo, bp))); ND_TCHECK(bp[4]); switch (bp[4] & 0x3) { case 0: ND_PRINT((ndo, " PIMv?")); break; case 1: ND_PRINT((ndo, " PIMv1"));
+ show +
63
64
65
66
67
68
69
70
71
72
break; case 2: ND_PRINT((ndo, " PIMv2")); break; case 3: ND_PRINT((ndo, " PIMv1+2")); break; } if (bp[4] & 0xfc) ND_PRINT((ndo, " [rsvd=0x%02x]", bp[4] & 0xfc)); ND_TCHECK(bp[5]); nentries = bp[5];

[tcpdump_CVE-2017-13030_1490216968_cisco_autorp_print.diff] cisco_autorp_print_OLD.c #3
case 3: ND_PRINT((ndo, " PIMv1+2")); break; } - if (bp[4] & 0xfc) - ND_PRINT((ndo, " [rsvd=0x%02x]", bp[4] & 0xfc)); - ND_TCHECK(bp[5]); - nentries = bp[5]; - bp += 6; len -= 6; + if (bp[0] & 0xfc) + ND_PRINT((ndo, " [rsvd=0x%02x]", bp[0] & 0xfc)); + bp += 1; + len -= 1; + if (len < 1) + goto trunc; + ND_TCHECK(bp[0]); + nentries = bp[0]; + bp += 1; + len -= 1; s = ' '; for (; nentries; nentries--) { + if (len < 6) + goto trunc; ND_TCHECK2(bp[0], 6); ND_PRINT((ndo, "%c%s%s/%d", s, bp[0] & 1 ? "!" : "", ipaddr_string(ndo, &bp[2]), bp[1]));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_cisco_autorp_print.c
56
57
58
59
60
61
62
63
64
65
ND_TCHECK2(bp[0], 4); ND_PRINT((ndo, " RP %s", ipaddr_string(ndo, bp))); ND_TCHECK(bp[4]); switch (bp[4] & 0x3) { case 0: ND_PRINT((ndo, " PIMv?")); break; case 1: ND_PRINT((ndo, " PIMv1")); break; case 2: ND_PRINT((ndo, " PIMv2")); break;
+ show +
66
67
68
69
70
71
72
73
74
75
76
77
78
case 3: ND_PRINT((ndo, " PIMv1+2")); break; } if (bp[4] & 0xfc) ND_PRINT((ndo, " [rsvd=0x%02x]", bp[4] & 0xfc)); ND_TCHECK(bp[5]); nentries = bp[5]; bp += 6; len -= 6; s = ' '; for (; nentries; nentries--) { ND_TCHECK2(bp[0], 6); ND_PRINT((ndo, "%c%s%s/%d", s, bp[0] & 1 ? "!" : "", ipaddr_string(ndo, &bp[2]), bp[1]));
+ show +
79
80
81
82
83
84
85
86
87
88
if (bp[0] & 0x02) { ND_PRINT((ndo, " bidir")); } if (bp[0] & 0xfc) { ND_PRINT((ndo, "[rsvd=0x%02x]", bp[0] & 0xfc)); } s = ','; bp += 6; len -= 6; } }
.\cloneFuncs\totalClone\Type-2\CVE-2017-13030_before_6mo_1471182139_cisco_autorp_print.c
56
57
58
59
60
61
62
63
64
65
ND_TCHECK2(bp[0], 4); ND_PRINT((ndo, " RP %s", ipaddr_string(ndo, bp))); ND_TCHECK(bp[4]); switch (bp[4] & 0x3) { case 0: ND_PRINT((ndo, " PIMv?")); break; case 1: ND_PRINT((ndo, " PIMv1")); break; case 2: ND_PRINT((ndo, " PIMv2")); break;
+ show +
66
67
68
69
70
71
72
73
74
75
76
77
78
case 3: ND_PRINT((ndo, " PIMv1+2")); break; } if (bp[4] & 0xfc) ND_PRINT((ndo, " [rsvd=0x%02x]", bp[4] & 0xfc)); ND_TCHECK(bp[5]); nentries = bp[5]; bp += 6; len -= 6; s = ' '; for (; nentries; nentries--) { ND_TCHECK2(bp[0], 6); ND_PRINT((ndo, "%c%s%s/%d", s, bp[0] & 1 ? "!" : "", ipaddr_string(ndo, &bp[2]), bp[1]));
+ show +
79
80
81
82
83
84
85
86
87
88
if (bp[0] & 0x02) { ND_PRINT((ndo, " bidir")); } if (bp[0] & 0xfc) { ND_PRINT((ndo, "[rsvd=0x%02x]", bp[0] & 0xfc)); } s = ','; bp += 6; len -= 6; } }

[tcpdump_CVE-2017-13030_1490216968_pimv1_join_prune_print.diff] pimv1_join_prune_print_OLD.c #1
return; } + if (len < sizeof(struct in_addr)) + goto trunc; ND_TCHECK2(bp[0], sizeof(struct in_addr)); if (ndo->ndo_vflag > 1) ND_PRINT((ndo, "\n")); ND_PRINT((ndo, " Upstream Nbr: %s", ipaddr_string(ndo, bp))); - ND_TCHECK2(bp[6], 2); + bp += 4; + len -= 4; + if (len < 4) + goto trunc; + ND_TCHECK2(bp[2], 2); if (ndo->ndo_vflag > 1) ND_PRINT((ndo, "\n")); ND_PRINT((ndo, " Hold time: ")); - unsigned_relts_print(ndo, EXTRACT_16BITS(&bp[6])); + unsigned_relts_print(ndo, EXTRACT_16BITS(&bp[2])); if (ndo->ndo_vflag < 2) return; - bp += 8; - len -= 8; + bp += 4; + len -= 4; + if (len < 4) + goto trunc; ND_TCHECK2(bp[0], 4); ngroups = bp[3]; bp += 4;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_pimv1_join_prune_print.c
18
19
20
21
22
23
24
25
26
27
} ND_PRINT((ndo, "%s (%s/%d, %s", njoin ? "Join" : "Prune", ipaddr_string(ndo, &bp[26]), bp[25] & 0x3f, ipaddr_string(ndo, &bp[12]))); if (EXTRACT_32BITS(&bp[16]) != 0xffffffff) ND_PRINT((ndo, "/%s", ipaddr_string(ndo, &bp[16]))); ND_PRINT((ndo, ") %s%s %s", (bp[24] & 0x01) ? "Sparse" : "Dense", (bp[25] & 0x80) ? " WC" : "", (bp[25] & 0x40) ? "RP" : "SPT"));
+ show +
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
return; } ND_TCHECK2(bp[0], sizeof(struct in_addr)); if (ndo->ndo_vflag > 1) ND_PRINT((ndo, "\n")); ND_PRINT((ndo, " Upstream Nbr: %s", ipaddr_string(ndo, bp))); ND_TCHECK2(bp[6], 2); if (ndo->ndo_vflag > 1) ND_PRINT((ndo, "\n")); ND_PRINT((ndo, " Hold time: ")); unsigned_relts_print(ndo, EXTRACT_16BITS(&bp[6])); if (ndo->ndo_vflag < 2) return; bp += 8; len -= 8; ND_TCHECK2(bp[0], 4); ngroups = bp[3]; bp += 4;
+ show +
48
49
50
51
52
53
54
55
56
57
len -= 4; while (ngroups--) { /* * XXX - does the address have length "addrlen" and the * mask length "maddrlen"? */ ND_TCHECK2(bp[0], sizeof(struct in_addr)); ND_PRINT((ndo, "\n\tGroup: %s", ipaddr_string(ndo, bp))); ND_TCHECK2(bp[4], sizeof(struct in_addr)); if (EXTRACT_32BITS(&bp[4]) != 0xffffffff)

[tcpdump_CVE-2017-13030_1490216968_pimv1_join_prune_print.diff] pimv1_join_prune_print_OLD.c #2
* XXX - does the address have length "addrlen" and the * mask length "maddrlen"? */ + if (len < 4) + goto trunc; ND_TCHECK2(bp[0], sizeof(struct in_addr)); ND_PRINT((ndo, "\n\tGroup: %s", ipaddr_string(ndo, bp))); - ND_TCHECK2(bp[4], sizeof(struct in_addr)); - if (EXTRACT_32BITS(&bp[4]) != 0xffffffff) - ND_PRINT((ndo, "/%s", ipaddr_string(ndo, &bp[4]))); - ND_TCHECK2(bp[8], 4); - njoin = EXTRACT_16BITS(&bp[8]); - nprune = EXTRACT_16BITS(&bp[10]); + bp += 4; + len -= 4; + if (len < 4) + goto trunc; + ND_TCHECK2(bp[0], sizeof(struct in_addr)); + if (EXTRACT_32BITS(&bp[0]) != 0xffffffff) + ND_PRINT((ndo, "/%s", ipaddr_string(ndo, &bp[0]))); + bp += 4; + len -= 4; + if (len < 4) + goto trunc; + ND_TCHECK2(bp[0], 4); + njoin = EXTRACT_16BITS(&bp[0]); + nprune = EXTRACT_16BITS(&bp[2]); ND_PRINT((ndo, " joined: %d pruned: %d", njoin, nprune)); - bp += 12; - len -= 12; + bp += 4; + len -= 4; for (njp = 0; njp < (njoin + nprune); njp++) { const char *type;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_pimv1_join_prune_print.c
41
42
43
44
45
46
47
48
49
50
return; bp += 8; len -= 8; ND_TCHECK2(bp[0], 4); ngroups = bp[3]; bp += 4; len -= 4; while (ngroups--) { /*
+ show +
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
* XXX - does the address have length "addrlen" and the * mask length "maddrlen"? */ ND_TCHECK2(bp[0], sizeof(struct in_addr)); ND_PRINT((ndo, "\n\tGroup: %s", ipaddr_string(ndo, bp))); ND_TCHECK2(bp[4], sizeof(struct in_addr)); if (EXTRACT_32BITS(&bp[4]) != 0xffffffff) ND_PRINT((ndo, "/%s", ipaddr_string(ndo, &bp[4]))); ND_TCHECK2(bp[8], 4); njoin = EXTRACT_16BITS(&bp[8]); nprune = EXTRACT_16BITS(&bp[10]); ND_PRINT((ndo, " joined: %d pruned: %d", njoin, nprune)); bp += 12; len -= 12; for (njp = 0; njp < (njoin + nprune); njp++) { const char *type;
+ show +
67
68
69
70
71
72
73
74
75
76
if (njp < njoin) type = "Join "; else type = "Prune"; ND_TCHECK2(bp[0], 6); ND_PRINT((ndo, "\n\t%s %s%s%s%s/%d", type, (bp[0] & 0x01) ? "Sparse " : "Dense ", (bp[1] & 0x80) ? "WC " : "", (bp[1] & 0x40) ? "RP " : "SPT ",
.\cloneFuncs\totalClone\Type-2\CVE-2017-13030_before_6mo_1471182139_pimv1_join_prune_print.c
41
42
43
44
45
46
47
48
49
50
return; bp += 8; len -= 8; ND_TCHECK2(bp[0], 4); ngroups = bp[3]; bp += 4; len -= 4; while (ngroups--) { /*
+ show +
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
* XXX - does the address have length "addrlen" and the * mask length "maddrlen"? */ ND_TCHECK2(bp[0], sizeof(struct in_addr)); ND_PRINT((ndo, "\n\tGroup: %s", ipaddr_string(ndo, bp))); ND_TCHECK2(bp[4], sizeof(struct in_addr)); if (EXTRACT_32BITS(&bp[4]) != 0xffffffff) ND_PRINT((ndo, "/%s", ipaddr_string(ndo, &bp[4]))); ND_TCHECK2(bp[8], 4); njoin = EXTRACT_16BITS(&bp[8]); nprune = EXTRACT_16BITS(&bp[10]); ND_PRINT((ndo, " joined: %d pruned: %d", njoin, nprune)); bp += 12; len -= 12; for (njp = 0; njp < (njoin + nprune); njp++) { const char *type;
+ show +
67
68
69
70
71
72
73
74
75
76
if (njp < njoin) type = "Join "; else type = "Prune"; ND_TCHECK2(bp[0], 6); ND_PRINT((ndo, "\n\t%s %s%s%s%s/%d", type, (bp[0] & 0x01) ? "Sparse " : "Dense ", (bp[1] & 0x80) ? "WC " : "", (bp[1] & 0x40) ? "RP " : "SPT ",

[tcpdump_CVE-2017-13030_1490216968_pimv2_addr_print.diff] pimv2_addr_print_OLD.c #1
static int pimv2_addr_print(netdissect_options *ndo, - const u_char *bp, enum pimv2_addrtype at, int silent) + const u_char *bp, u_int len, enum pimv2_addrtype at, + u_int addr_len, int silent) { int af; - int len, hdrlen; + int hdrlen; - ND_TCHECK(bp[0]); - - if (pimv2_addr_len == 0) { + if (addr_len == 0) { + if (len < 2) + goto trunc; ND_TCHECK(bp[1]); switch (bp[0]) { case 1: af = AF_INET; - len = sizeof(struct in_addr); + addr_len = (u_int)sizeof(struct in_addr); break; case 2: af = AF_INET6; - len = sizeof(struct in6_addr); + addr_len = (u_int)sizeof(struct in6_addr); break; default: return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_pimv2_addr_print.c
+ show +
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
static int pimv2_addr_print(netdissect_options *ndo, const u_char *bp, enum pimv2_addrtype at, int silent) { int af; int len, hdrlen; ND_TCHECK(bp[0]); if (pimv2_addr_len == 0) { ND_TCHECK(bp[1]); switch (bp[0]) { case 1: af = AF_INET; len = sizeof(struct in_addr); break; case 2: af = AF_INET6; len = sizeof(struct in6_addr); break; default: return -1;
+ show +
23
24
25
26
27
28
29
30
31
32
} if (bp[1] != 0) return -1; hdrlen = 2; } else { switch (pimv2_addr_len) { case sizeof(struct in_addr): af = AF_INET; break; case sizeof(struct in6_addr):

[tcpdump_CVE-2017-13030_1490216968_pimv2_addr_print.diff] pimv2_addr_print_OLD.c #2
return -1; hdrlen = 2; } else { - switch (pimv2_addr_len) { + switch (addr_len) { case sizeof(struct in_addr): af = AF_INET; break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_pimv2_addr_print.c
15
16
17
18
19
20
21
22
23
24
len = sizeof(struct in_addr); break; case 2: af = AF_INET6; len = sizeof(struct in6_addr); break; default: return -1; } if (bp[1] != 0)
+ show +
25
26
27
28
29
30
31
return -1; hdrlen = 2; } else { switch (pimv2_addr_len) { case sizeof(struct in_addr): af = AF_INET; break;
+ show +
32
33
34
35
36
37
38
39
40
41
case sizeof(struct in6_addr): af = AF_INET6; break; default: return -1; break; } len = pimv2_addr_len; hdrlen = 0; }

[tcpdump_CVE-2017-13030_1490216968_pimv2_addr_print.diff] pimv2_addr_print_OLD.c #3
return -1; break; } - len = pimv2_addr_len; hdrlen = 0; } bp += hdrlen; + len -= hdrlen; switch (at) { case pimv2_unicast: - ND_TCHECK2(bp[0], len); + if (len < addr_len) + goto trunc; + ND_TCHECK2(bp[0], addr_len); if (af == AF_INET) { if (!silent) ND_PRINT((ndo, "%s", ipaddr_string(ndo, bp)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_pimv2_addr_print.c
26
27
28
29
30
31
32
33
34
35
hdrlen = 2; } else { switch (pimv2_addr_len) { case sizeof(struct in_addr): af = AF_INET; break; case sizeof(struct in6_addr): af = AF_INET6; break; default:
+ show +
36
37
38
39
40
41
42
43
44
45
46
47
48
49
return -1; break; } len = pimv2_addr_len; hdrlen = 0; } bp += hdrlen; switch (at) { case pimv2_unicast: ND_TCHECK2(bp[0], len); if (af == AF_INET) { if (!silent) ND_PRINT((ndo, "%s", ipaddr_string(ndo, bp)));
+ show +
50
51
52
53
54
55
56
57
58
59
} else if (af == AF_INET6) { if (!silent) ND_PRINT((ndo, "%s", ip6addr_string(ndo, bp))); } return hdrlen + len; case pimv2_group: case pimv2_source: ND_TCHECK2(bp[0], len + 2); if (af == AF_INET) {

[tcpdump_CVE-2017-13030_1490216968_pimv2_addr_print.diff] pimv2_addr_print_OLD.c #4
if (!silent) ND_PRINT((ndo, "%s", ip6addr_string(ndo, bp))); } - return hdrlen + len; + return hdrlen + addr_len; case pimv2_group: case pimv2_source: - ND_TCHECK2(bp[0], len + 2); + if (len < addr_len + 2) + goto trunc; + ND_TCHECK2(bp[0], addr_len + 2); if (af == AF_INET) { if (!silent) { ND_PRINT((ndo, "%s", ipaddr_string(ndo, bp + 2)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_pimv2_addr_print.c
42
43
44
45
46
47
48
49
50
51
bp += hdrlen; switch (at) { case pimv2_unicast: ND_TCHECK2(bp[0], len); if (af == AF_INET) { if (!silent) ND_PRINT((ndo, "%s", ipaddr_string(ndo, bp))); } else if (af == AF_INET6) {
+ show +
52
53
54
55
56
57
58
59
60
61
if (!silent) ND_PRINT((ndo, "%s", ip6addr_string(ndo, bp))); } return hdrlen + len; case pimv2_group: case pimv2_source: ND_TCHECK2(bp[0], len + 2); if (af == AF_INET) { if (!silent) { ND_PRINT((ndo, "%s", ipaddr_string(ndo, bp + 2)));
+ show +
62
63
64
65
66
67
68
69
70
71
if (bp[1] != 32) ND_PRINT((ndo, "/%u", bp[1])); } } else if (af == AF_INET6) { if (!silent) { ND_PRINT((ndo, "%s", ip6addr_string(ndo, bp + 2))); if (bp[1] != 128) ND_PRINT((ndo, "/%u", bp[1])); }

[tcpdump_CVE-2017-13030_1490216968_pim_print.diff] pim_print_OLD.c #1
pim_print(netdissect_options *ndo, register const u_char *bp, register u_int len, const u_char *bp2) { - register const u_char *ep; register const struct pim *pim = (const struct pim *)bp; - ep = (const u_char *)ndo->ndo_snapend; - if (bp >= ep) - return; #ifdef notyet /* currently we see only version and type */ ND_TCHECK(pim->pim_rsv); #endif + ND_TCHECK(pim->pim_typever); switch (PIM_VER(pim->pim_typever)) { case 2: if (!ndo->ndo_vflag) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_1mo_1439063616_pim_print.c
1
void
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pim_print(netdissect_options *ndo, register const u_char *bp, register u_int len, const u_char *bp2) { register const u_char *ep; register const struct pim *pim = (const struct pim *)bp; ep = (const u_char *)ndo->ndo_snapend; if (bp >= ep) return; #ifdef notyet /* currently we see only version and type */ ND_TCHECK(pim->pim_rsv); #endif switch (PIM_VER(pim->pim_typever)) { case 2: if (!ndo->ndo_vflag) {
+ show +
18
19
20
21
22
23
24
25
26
27
ND_PRINT((ndo, "PIMv%u, %s, length %u", PIM_VER(pim->pim_typever), tok2str(pimv2_type_values,"Unknown Type",PIM_TYPE(pim->pim_typever)), len)); return; } else { ND_PRINT((ndo, "PIMv%u, length %u\n\t%s", PIM_VER(pim->pim_typever), len, tok2str(pimv2_type_values,"Unknown Type",PIM_TYPE(pim->pim_typever))));

[tcpdump_CVE-2017-13030_1490216968_pimv2_print.diff] pimv2_print_OLD.c #1
register const struct pim *pim = (const struct pim *)bp; int advance; enum checksum_status cksum_status; + int pimv2_addr_len; ep = (const u_char *)ndo->ndo_snapend; if (bp >= ep) return; if (ep > bp + len) ep = bp + len; + if (len < 2) + goto trunc; ND_TCHECK(pim->pim_rsv); pimv2_addr_len = pim->pim_rsv; if (pimv2_addr_len != 0) ND_PRINT((ndo, ", RFC2117-encoding")); + if (len < 4) + goto trunc; + ND_TCHECK(pim->pim_cksum); ND_PRINT((ndo, ", cksum 0x%04x ", EXTRACT_16BITS(&pim->pim_cksum))); if (EXTRACT_16BITS(&pim->pim_cksum) == 0) { ND_PRINT((ndo, "(unverified)"));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_imd_1487014285_pimv2_print.c
1
2
3
4
5
static void pimv2_print(netdissect_options *ndo, register const u_char *bp, register u_int len, const u_char *bp2) { register const u_char *ep;
+ show +
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
register const struct pim *pim = (const struct pim *)bp; int advance; enum checksum_status cksum_status; ep = (const u_char *)ndo->ndo_snapend; if (bp >= ep) return; if (ep > bp + len) ep = bp + len; ND_TCHECK(pim->pim_rsv); pimv2_addr_len = pim->pim_rsv; if (pimv2_addr_len != 0) ND_PRINT((ndo, ", RFC2117-encoding")); ND_PRINT((ndo, ", cksum 0x%04x ", EXTRACT_16BITS(&pim->pim_cksum))); if (EXTRACT_16BITS(&pim->pim_cksum) == 0) { ND_PRINT((ndo, "(unverified)"));
+ show +
23
24
25
26
27
28
29
30
31
32
} else { if (PIM_TYPE(pim->pim_typever) == PIMV2_TYPE_REGISTER) { /* * The checksum only covers the packet header, * not the encapsulated packet. */ cksum_status = pimv2_check_checksum(ndo, bp, bp2, 8); if (cksum_status == INCORRECT) { /* * To quote RFC 4601, "For interoperability
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_1mo_1439063616_pimv2_print.c
1
2
3
4
5
static void pimv2_print(netdissect_options *ndo, register const u_char *bp, register u_int len, const u_char *bp2) { register const u_char *ep;
+ show +
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
register const struct pim *pim = (const struct pim *)bp; int advance; enum checksum_status cksum_status; ep = (const u_char *)ndo->ndo_snapend; if (bp >= ep) return; if (ep > bp + len) ep = bp + len; ND_TCHECK(pim->pim_rsv); pimv2_addr_len = pim->pim_rsv; if (pimv2_addr_len != 0) ND_PRINT((ndo, ", RFC2117-encoding")); ND_PRINT((ndo, ", cksum 0x%04x ", EXTRACT_16BITS(&pim->pim_cksum))); if (EXTRACT_16BITS(&pim->pim_cksum) == 0) { ND_PRINT((ndo, "(unverified)"));
+ show +
23
24
25
26
27
28
29
30
31
32
} else { if (PIM_TYPE(pim->pim_typever) == PIMV2_TYPE_REGISTER) { /* * The checksum only covers the packet header, * not the encapsulated packet. */ cksum_status = pimv2_check_checksum(ndo, bp, bp2, 8); if (cksum_status == INCORRECT) { /* * To quote RFC 4601, "For interoperability
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_6mo_1471182139_pimv2_print.c
1
2
3
4
5
static void pimv2_print(netdissect_options *ndo, register const u_char *bp, register u_int len, const u_char *bp2) { register const u_char *ep;
+ show +
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
register const struct pim *pim = (const struct pim *)bp; int advance; enum checksum_status cksum_status; ep = (const u_char *)ndo->ndo_snapend; if (bp >= ep) return; if (ep > bp + len) ep = bp + len; ND_TCHECK(pim->pim_rsv); pimv2_addr_len = pim->pim_rsv; if (pimv2_addr_len != 0) ND_PRINT((ndo, ", RFC2117-encoding")); ND_PRINT((ndo, ", cksum 0x%04x ", EXTRACT_16BITS(&pim->pim_cksum))); if (EXTRACT_16BITS(&pim->pim_cksum) == 0) { ND_PRINT((ndo, "(unverified)"));
+ show +
23
24
25
26
27
28
29
30
31
32
} else { if (PIM_TYPE(pim->pim_typever) == PIMV2_TYPE_REGISTER) { /* * The checksum only covers the packet header, * not the encapsulated packet. */ cksum_status = pimv2_check_checksum(ndo, bp, bp2, 8); if (cksum_status == INCORRECT) { /* * To quote RFC 4601, "For interoperability

[tcpdump_CVE-2017-13030_1490216968_pimv2_print.diff] pimv2_print_OLD.c #2
break; } } + bp += 4; + len -= 4; switch (PIM_TYPE(pim->pim_typever)) { case PIMV2_TYPE_HELLO: { uint16_t otype, olen; - bp += 4; - while (bp < ep) { + while (len > 0) { + if (len < 4) + goto trunc; ND_TCHECK2(bp[0], 4); otype = EXTRACT_16BITS(&bp[0]); olen = EXTRACT_16BITS(&bp[2]); - ND_TCHECK2(bp[0], 4 + olen); ND_PRINT((ndo, "\n\t %s Option (%u), length %u, Value: ", tok2str(pimv2_hello_option_values, "Unknown", otype), otype, olen)); bp += 4; + len -= 4; + if (len < olen) + goto trunc; + ND_TCHECK2(bp[0], olen); switch (otype) { case PIMV2_HELLO_OPTION_HOLDTIME: if (olen != 2) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_imd_1487014285_pimv2_print.c
47
48
49
50
51
52
53
54
55
56
case CORRECT: ND_PRINT((ndo, "(correct)")); break; case INCORRECT: ND_PRINT((ndo, "(incorrect)")); break; case UNVERIFIED: ND_PRINT((ndo, "(unverified)"));
+ show +
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
break; } } switch (PIM_TYPE(pim->pim_typever)) { case PIMV2_TYPE_HELLO: { uint16_t otype, olen; bp += 4; while (bp < ep) { ND_TCHECK2(bp[0], 4); otype = EXTRACT_16BITS(&bp[0]); olen = EXTRACT_16BITS(&bp[2]); ND_TCHECK2(bp[0], 4 + olen); ND_PRINT((ndo, "\n\t %s Option (%u), length %u, Value: ", tok2str(pimv2_hello_option_values, "Unknown", otype), otype, olen)); bp += 4; switch (otype) { case PIMV2_HELLO_OPTION_HOLDTIME: if (olen != 2) {
+ show +
80
81
82
83
84
85
86
87
88
89
ND_PRINT((ndo, "ERROR: Option Length != 2 Bytes (%u)", olen)); } else { unsigned_relts_print(ndo, EXTRACT_16BITS(bp)); } break; case PIMV2_HELLO_OPTION_LANPRUNEDELAY: if (olen != 4) { ND_PRINT((ndo, "ERROR: Option Length != 4 Bytes (%u)", olen)); } else {

[tcpdump_CVE-2017-13030_1490216968_pimv2_print.diff] pimv2_print_OLD.c #3
case PIMV2_HELLO_OPTION_ADDRESS_LIST: if (ndo->ndo_vflag > 1) { const u_char *ptr = bp; + u_int plen = len; while (ptr < (bp+olen)) { ND_PRINT((ndo, "\n\t ")); - advance = pimv2_addr_print(ndo, ptr, pimv2_unicast, 0); - if (advance < 0) { - ND_PRINT((ndo, "...")); - break; - } + advance = pimv2_addr_print(ndo, ptr, plen, pimv2_unicast, pimv2_addr_len, 0); + if (advance < 0) + goto trunc; ptr += advance; + plen -= advance; } } break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_imd_1487014285_pimv2_print.c
133
134
135
136
137
138
139
140
141
142
if (EXTRACT_16BITS(bp+2) != 0) { ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2))); } } break; case PIMV2_HELLO_OPTION_BIDIR_CAP: break; case PIMV2_HELLO_OPTION_ADDRESS_LIST_OLD:
+ show +
143
144
145
146
147
148
149
150
151
152
153
154
155
156
case PIMV2_HELLO_OPTION_ADDRESS_LIST: if (ndo->ndo_vflag > 1) { const u_char *ptr = bp; while (ptr < (bp+olen)) { ND_PRINT((ndo, "\n\t ")); advance = pimv2_addr_print(ndo, ptr, pimv2_unicast, 0); if (advance < 0) { ND_PRINT((ndo, "...")); break; } ptr += advance; } } break;
+ show +
157
158
159
160
161
162
163
164
165
166
default: if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, bp, "\n\t ", olen); break; } /* do we want to see an additionally hexdump ? */ if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; }
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_1mo_1439063616_pimv2_print.c
121
122
123
124
125
126
127
128
129
130
} if (EXTRACT_16BITS(bp+2) != 0) { ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2))); } break; case PIMV2_HELLO_OPTION_BIDIR_CAP: break; case PIMV2_HELLO_OPTION_ADDRESS_LIST_OLD:
+ show +
131
132
133
134
135
136
137
138
139
140
141
142
143
144
case PIMV2_HELLO_OPTION_ADDRESS_LIST: if (ndo->ndo_vflag > 1) { const u_char *ptr = bp; while (ptr < (bp+olen)) { ND_PRINT((ndo, "\n\t ")); advance = pimv2_addr_print(ndo, ptr, pimv2_unicast, 0); if (advance < 0) { ND_PRINT((ndo, "...")); break; } ptr += advance; } } break;
+ show +
145
146
147
148
149
150
151
152
153
154
default: if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, bp, "\n\t ", olen); break; } /* do we want to see an additionally hexdump ? */ if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; }
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_6mo_1471182139_pimv2_print.c
121
122
123
124
125
126
127
128
129
130
} if (EXTRACT_16BITS(bp+2) != 0) { ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2))); } break; case PIMV2_HELLO_OPTION_BIDIR_CAP: break; case PIMV2_HELLO_OPTION_ADDRESS_LIST_OLD:
+ show +
131
132
133
134
135
136
137
138
139
140
141
142
143
144
case PIMV2_HELLO_OPTION_ADDRESS_LIST: if (ndo->ndo_vflag > 1) { const u_char *ptr = bp; while (ptr < (bp+olen)) { ND_PRINT((ndo, "\n\t ")); advance = pimv2_addr_print(ndo, ptr, pimv2_unicast, 0); if (advance < 0) { ND_PRINT((ndo, "...")); break; } ptr += advance; } } break;
+ show +
145
146
147
148
149
150
151
152
153
154
default: if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, bp, "\n\t ", olen); break; } /* do we want to see an additionally hexdump ? */ if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; }

[tcpdump_CVE-2017-13030_1490216968_pimv2_print.diff] pimv2_print_OLD.c #4
if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; + len -= olen; } break; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_imd_1487014285_pimv2_print.c
153
154
155
156
157
158
159
160
161
162
ptr += advance; } } break; default: if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, bp, "\n\t ", olen); break; } /* do we want to see an additionally hexdump ? */
+ show +
163
164
165
166
167
168
if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; } break; }
+ show +
169
170
171
172
173
174
175
176
177
178
case PIMV2_TYPE_REGISTER: { const struct ip *ip; ND_TCHECK2(*(bp + 4), PIMV2_REGISTER_FLAG_LEN); ND_PRINT((ndo, ", Flags [ %s ]\n\t", tok2str(pimv2_register_flag_values, "none",
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_1mo_1439063616_pimv2_print.c
141
142
143
144
145
146
147
148
149
150
ptr += advance; } } break; default: if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, bp, "\n\t ", olen); break; } /* do we want to see an additionally hexdump ? */
+ show +
151
152
153
154
155
156
if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; } break; }
+ show +
157
158
159
160
161
162
163
164
165
166
case PIMV2_TYPE_REGISTER: { const struct ip *ip; ND_TCHECK2(*(bp + 4), PIMV2_REGISTER_FLAG_LEN); ND_PRINT((ndo, ", Flags [ %s ]\n\t", tok2str(pimv2_register_flag_values, "none",
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_6mo_1471182139_pimv2_print.c
141
142
143
144
145
146
147
148
149
150
ptr += advance; } } break; default: if (ndo->ndo_vflag <= 1) print_unknown_data(ndo, bp, "\n\t ", olen); break; } /* do we want to see an additionally hexdump ? */
+ show +
151
152
153
154
155
156
if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; } break; }
+ show +
157
158
159
160
161
162
163
164
165
166
case PIMV2_TYPE_REGISTER: { const struct ip *ip; ND_TCHECK2(*(bp + 4), PIMV2_REGISTER_FLAG_LEN); ND_PRINT((ndo, ", Flags [ %s ]\n\t", tok2str(pimv2_register_flag_values, "none",

[tcpdump_CVE-2017-13030_1490216968_pimv2_print.diff] pimv2_print_OLD.c #5
{ const struct ip *ip; - ND_TCHECK2(*(bp + 4), PIMV2_REGISTER_FLAG_LEN); + if (len < 4) + goto trunc; + ND_TCHECK2(*bp, PIMV2_REGISTER_FLAG_LEN); ND_PRINT((ndo, ", Flags [ %s ]\n\t", tok2str(pimv2_register_flag_values, "none", - EXTRACT_32BITS(bp+4)))); + EXTRACT_32BITS(bp)))); - bp += 8; len -= 8; + bp += 4; len -= 4; /* encapsulated multicast packet */ + if (len == 0) + goto trunc; ip = (const struct ip *)bp; + ND_TCHECK(ip->ip_vhl); switch (IP_V(ip)) { case 0: /* Null header */ + ND_TCHECK(ip->ip_dst); ND_PRINT((ndo, "IP-Null-header %s > %s", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_imd_1487014285_pimv2_print.c
161
162
163
164
165
166
167
168
169
170
} /* do we want to see an additionally hexdump ? */ if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; } break; } case PIMV2_TYPE_REGISTER:
+ show +
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
{ const struct ip *ip; ND_TCHECK2(*(bp + 4), PIMV2_REGISTER_FLAG_LEN); ND_PRINT((ndo, ", Flags [ %s ]\n\t", tok2str(pimv2_register_flag_values, "none", EXTRACT_32BITS(bp+4)))); bp += 8; len -= 8; /* encapsulated multicast packet */ ip = (const struct ip *)bp; switch (IP_V(ip)) { case 0: /* Null header */ ND_PRINT((ndo, "IP-Null-header %s > %s", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst)));
+ show +
189
190
191
192
193
194
195
196
197
198
break; case 4: /* IPv4 */ ip_print(ndo, bp, len); break; case 6: /* IPv6 */ ip6_print(ndo, bp, len); break;
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_1mo_1439063616_pimv2_print.c
149
150
151
152
153
154
155
156
157
158
} /* do we want to see an additionally hexdump ? */ if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; } break; } case PIMV2_TYPE_REGISTER:
+ show +
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
{ const struct ip *ip; ND_TCHECK2(*(bp + 4), PIMV2_REGISTER_FLAG_LEN); ND_PRINT((ndo, ", Flags [ %s ]\n\t", tok2str(pimv2_register_flag_values, "none", EXTRACT_32BITS(bp+4)))); bp += 8; len -= 8; /* encapsulated multicast packet */ ip = (const struct ip *)bp; switch (IP_V(ip)) { case 0: /* Null header */ ND_PRINT((ndo, "IP-Null-header %s > %s", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst)));
+ show +
177
178
179
180
181
182
183
184
185
186
break; case 4: /* IPv4 */ ip_print(ndo, bp, len); break; case 6: /* IPv6 */ ip6_print(ndo, bp, len); break;
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_6mo_1471182139_pimv2_print.c
149
150
151
152
153
154
155
156
157
158
} /* do we want to see an additionally hexdump ? */ if (ndo->ndo_vflag> 1) print_unknown_data(ndo, bp, "\n\t ", olen); bp += olen; } break; } case PIMV2_TYPE_REGISTER:
+ show +
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
{ const struct ip *ip; ND_TCHECK2(*(bp + 4), PIMV2_REGISTER_FLAG_LEN); ND_PRINT((ndo, ", Flags [ %s ]\n\t", tok2str(pimv2_register_flag_values, "none", EXTRACT_32BITS(bp+4)))); bp += 8; len -= 8; /* encapsulated multicast packet */ ip = (const struct ip *)bp; switch (IP_V(ip)) { case 0: /* Null header */ ND_PRINT((ndo, "IP-Null-header %s > %s", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst)));
+ show +
177
178
179
180
181
182
183
184
185
186
break; case 4: /* IPv4 */ ip_print(ndo, bp, len); break; case 6: /* IPv6 */ ip6_print(ndo, bp, len); break;

[tcpdump_CVE-2017-13030_1490216968_pimv2_print.diff] pimv2_print_OLD.c #6
} case PIMV2_TYPE_REGISTER_STOP: - bp += 4; len -= 4; - if (bp >= ep) - break; ND_PRINT((ndo, " group=")); - if ((advance = pimv2_addr_print(ndo, bp, pimv2_group, 0)) < 0) { - ND_PRINT((ndo, "...")); - break; - } + if ((advance = pimv2_addr_print(ndo, bp, len, pimv2_group, pimv2_addr_len, 0)) < 0) + goto trunc; bp += advance; len -= advance; - if (bp >= ep) - break; ND_PRINT((ndo, " source=")); - if ((advance = pimv2_addr_print(ndo, bp, pimv2_unicast, 0)) < 0) { - ND_PRINT((ndo, "...")); - break; - } + if ((advance = pimv2_addr_print(ndo, bp, len, pimv2_unicast, pimv2_addr_len, 0)) < 0) + goto trunc; bp += advance; len -= advance; break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_imd_1487014285_pimv2_print.c
194
195
196
197
198
199
200
201
202
203
case 6: /* IPv6 */ ip6_print(ndo, bp, len); break; default: ND_PRINT((ndo, "IP ver %d", IP_V(ip))); break; } break;
+ show +
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
} case PIMV2_TYPE_REGISTER_STOP: bp += 4; len -= 4; if (bp >= ep) break; ND_PRINT((ndo, " group=")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_group, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; if (bp >= ep) break; ND_PRINT((ndo, " source=")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_unicast, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; break;
+ show +
225
226
227
228
229
230
231
232
233
234
case PIMV2_TYPE_JOIN_PRUNE: case PIMV2_TYPE_GRAFT: case PIMV2_TYPE_GRAFT_ACK: /* * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_1mo_1439063616_pimv2_print.c
182
183
184
185
186
187
188
189
190
191
case 6: /* IPv6 */ ip6_print(ndo, bp, len); break; default: ND_PRINT((ndo, "IP ver %d", IP_V(ip))); break; } break;
+ show +
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
} case PIMV2_TYPE_REGISTER_STOP: bp += 4; len -= 4; if (bp >= ep) break; ND_PRINT((ndo, " group=")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_group, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; if (bp >= ep) break; ND_PRINT((ndo, " source=")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_unicast, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; break;
+ show +
213
214
215
216
217
218
219
220
221
222
case PIMV2_TYPE_JOIN_PRUNE: case PIMV2_TYPE_GRAFT: case PIMV2_TYPE_GRAFT_ACK: /* * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_6mo_1471182139_pimv2_print.c
182
183
184
185
186
187
188
189
190
191
case 6: /* IPv6 */ ip6_print(ndo, bp, len); break; default: ND_PRINT((ndo, "IP ver %d", IP_V(ip))); break; } break;
+ show +
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
} case PIMV2_TYPE_REGISTER_STOP: bp += 4; len -= 4; if (bp >= ep) break; ND_PRINT((ndo, " group=")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_group, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; if (bp >= ep) break; ND_PRINT((ndo, " source=")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_unicast, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; break;
+ show +
213
214
215
216
217
218
219
220
221
222
case PIMV2_TYPE_JOIN_PRUNE: case PIMV2_TYPE_GRAFT: case PIMV2_TYPE_GRAFT_ACK: /* * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

[tcpdump_CVE-2017-13030_1490216968_pimv2_print.diff] pimv2_print_OLD.c #7
uint16_t nprune; int i, j; - bp += 4; len -= 4; if (PIM_TYPE(pim->pim_typever) != 7) { /*not for Graft-ACK*/ - if (bp >= ep) - break; ND_PRINT((ndo, ", upstream-neighbor: ")); - if ((advance = pimv2_addr_print(ndo, bp, pimv2_unicast, 0)) < 0) { - ND_PRINT((ndo, "...")); - break; - } + if ((advance = pimv2_addr_print(ndo, bp, len, pimv2_unicast, pimv2_addr_len, 0)) < 0) + goto trunc; bp += advance; len -= advance; } - if (bp + 4 > ep) - break; + if (len < 4) + goto trunc; + ND_TCHECK2(*bp, 4); ngroup = bp[1]; holdtime = EXTRACT_16BITS(&bp[2]); ND_PRINT((ndo, "\n\t %u group(s)", ngroup));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13030_before_imd_1487014285_pimv2_print.c
260
261
262
263
264
265
266
267
268
269
* | . | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Encoded-Multicast Group Address-n | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ { uint8_t ngroup; uint16_t holdtime; uint16_t njoin;
+ show +
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
uint16_t nprune; int i, j; bp += 4; len -= 4; if (PIM_TYPE(pim->pim_typever) != 7) { /*not for Graft-ACK*/ if (bp >= ep) break; ND_PRINT((ndo, ", upstream-neighbor: ")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_unicast, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; } if (bp + 4 > ep) break; ngroup = bp[1]; holdtime = EXTRACT_16BITS(&bp[2]); ND_PRINT((ndo, "\n\t %u group(s)", ngroup));
+ show +
289
290
291
292
293
294
295
296
297
298
if (PIM_TYPE(pim->pim_typever) != 7) { /*not for Graft-ACK*/ ND_PRINT((ndo, ", holdtime: ")); if (holdtime == 0xffff) ND_PRINT((ndo, "infinite")); else unsigned_relts_print(ndo, holdtime); } bp += 4; len -= 4; for (i = 0; i < ngroup; i++) { if (bp >= ep)
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_1mo_1439063616_pimv2_print.c
248
249
250
251
252
253
254
255
256
257
* | . | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Encoded-Multicast Group Address-n | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ { uint8_t ngroup; uint16_t holdtime; uint16_t njoin;
+ show +
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
uint16_t nprune; int i, j; bp += 4; len -= 4; if (PIM_TYPE(pim->pim_typever) != 7) { /*not for Graft-ACK*/ if (bp >= ep) break; ND_PRINT((ndo, ", upstream-neighbor: ")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_unicast, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; } if (bp + 4 > ep) break; ngroup = bp[1]; holdtime = EXTRACT_16BITS(&bp[2]); ND_PRINT((ndo, "\n\t %u group(s)", ngroup));
+ show +
277
278
279
280
281
282
283
284
285
286
if (PIM_TYPE(pim->pim_typever) != 7) { /*not for Graft-ACK*/ ND_PRINT((ndo, ", holdtime: ")); if (holdtime == 0xffff) ND_PRINT((ndo, "infinite")); else unsigned_relts_print(ndo, holdtime); } bp += 4; len -= 4; for (i = 0; i < ngroup; i++) { if (bp >= ep)
.\cloneFuncs\totalClone\Type-3\CVE-2017-13030_before_6mo_1471182139_pimv2_print.c
248
249
250
251
252
253
254
255
256
257
* | . | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Encoded-Multicast Group Address-n | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ { uint8_t ngroup; uint16_t holdtime; uint16_t njoin;
+ show +
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
uint16_t nprune; int i, j; bp += 4; len -= 4; if (PIM_TYPE(pim->pim_typever) != 7) { /*not for Graft-ACK*/ if (bp >= ep) break; ND_PRINT((ndo, ", upstream-neighbor: ")); if ((advance = pimv2_addr_print(ndo, bp, pimv2_unicast, 0)) < 0) { ND_PRINT((ndo, "...")); break; } bp += advance; len -= advance; } if (bp + 4 > ep) break; ngroup = bp[1]; holdtime = EXTRACT_16BITS(&bp[2]); ND_PRINT((ndo, "\n\t %u group(s)", ngroup));
+ show +
277
278
279
280
281
282
283
284
285
286
if (PIM_TYPE(pim->pim_typever) != 7) { /*not for Graft-ACK*/ ND_PRINT((ndo, ", holdtime: ")); if (holdtime == 0xffff) ND_PRINT((ndo, "infinite")); else relts_print(ndo, holdtime); } bp += 4; len -= 4; for (i = 0; i < ngroup; i++) { if (bp >= ep)

[tcpdump_CVE-2017-13031_1490219712_frag6_print.diff] frag6_print_OLD.c #1
dp = (const struct ip6_frag *)bp; ip6 = (const struct ip6_hdr *)bp2; - ND_TCHECK(dp->ip6f_offlg); + ND_TCHECK(*dp); if (ndo->ndo_vflag) { ND_PRINT((ndo, "frag (0x%08x:%d|%ld)",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13031_before_1mo_1471182139_frag6_print.c
1
2
3
4
5
6
int frag6_print(netdissect_options *ndo, register const u_char *bp, register const u_char *bp2) { register const struct ip6_frag *dp; register const struct ip6_hdr *ip6;
+ show +
7
8
9
10
11
12
13
dp = (const struct ip6_frag *)bp; ip6 = (const struct ip6_hdr *)bp2; ND_TCHECK(dp->ip6f_offlg); if (ndo->ndo_vflag) { ND_PRINT((ndo, "frag (0x%08x:%d|%ld)",
+ show +
14
15
16
17
18
19
20
21
22
23
EXTRACT_32BITS(&dp->ip6f_ident), EXTRACT_16BITS(&dp->ip6f_offlg) & IP6F_OFF_MASK, sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen) - (long)(bp - bp2) - sizeof(struct ip6_frag))); } else { ND_PRINT((ndo, "frag (%d|%ld)", EXTRACT_16BITS(&dp->ip6f_offlg) & IP6F_OFF_MASK, sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen) - (long)(bp - bp2) - sizeof(struct ip6_frag))); }

[tcpdump_CVE-2017-13032_1490222282_print_attr_string.diff] print_attr_string_OLD.c #1
{ case TUNNEL_PASS: if (length < 3) - { - ND_PRINT((ndo, "%s", tstr)); - return; - } + goto trunc; if (*data && (*data <=0x1F) ) ND_PRINT((ndo, "Tag[%u] ", *data)); else
.\cloneFuncs\totalClone\Type-1\CVE-2017-13032_before_1mo_1473623126_print_attr_string.c
1
2
3
4
5
6
7
8
9
static void print_attr_string(netdissect_options *ndo, register const u_char *data, u_int length, u_short attr_code) { register u_int i; ND_TCHECK2(data[0],length); switch(attr_code)
+ show +
10
11
12
13
14
15
16
17
18
19
{ case TUNNEL_PASS: if (length < 3) { ND_PRINT((ndo, "%s", tstr)); return; } if (*data && (*data <=0x1F) ) ND_PRINT((ndo, "Tag[%u] ", *data)); else
+ show +
20
21
22
23
24
25
26
27
28
29
ND_PRINT((ndo, "Tag[Unused] ")); data++; length--; ND_PRINT((ndo, "Salt %u ", EXTRACT_16BITS(data))); data+=2; length-=2; break; case TUNNEL_CLIENT_END: case TUNNEL_SERVER_END: case TUNNEL_PRIV_GROUP:

[tcpdump_CVE-2017-13032_1490222282_print_attr_string.diff] print_attr_string_OLD.c #2
if (*data <= 0x1F) { if (length < 1) - { - ND_PRINT((ndo, "%s", tstr)); - return; - } + goto trunc; if (*data) ND_PRINT((ndo, "Tag[%u] ", *data)); else
.\cloneFuncs\totalClone\Type-1\CVE-2017-13032_before_1mo_1473623126_print_attr_string.c
23
24
25
26
27
28
29
30
31
32
ND_PRINT((ndo, "Salt %u ", EXTRACT_16BITS(data))); data+=2; length-=2; break; case TUNNEL_CLIENT_END: case TUNNEL_SERVER_END: case TUNNEL_PRIV_GROUP: case TUNNEL_ASSIGN_ID: case TUNNEL_CLIENT_AUTH: case TUNNEL_SERVER_AUTH:
+ show +
33
34
35
36
37
38
39
40
41
42
if (*data <= 0x1F) { if (length < 1) { ND_PRINT((ndo, "%s", tstr)); return; } if (*data) ND_PRINT((ndo, "Tag[%u] ", *data)); else
+ show +
43
44
45
46
47
48
49
50
51
52
ND_PRINT((ndo, "Tag[Unused] ")); data++; length--; } break; case EGRESS_VLAN_NAME: ND_PRINT((ndo, "%s (0x%02x) ", tok2str(rfc4675_tagged,"Unknown tag",*data), *data)); data++;

[tcpdump_CVE-2017-13032_1490222282_print_attr_string.diff] print_attr_string_OLD.c #3
} break; case EGRESS_VLAN_NAME: + if (length < 1) + goto trunc; ND_PRINT((ndo, "%s (0x%02x) ", tok2str(rfc4675_tagged,"Unknown tag",*data), *data));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13032_before_1mo_1473623126_print_attr_string.c
36
37
38
39
40
41
42
43
44
45
{ ND_PRINT((ndo, "%s", tstr)); return; } if (*data) ND_PRINT((ndo, "Tag[%u] ", *data)); else ND_PRINT((ndo, "Tag[Unused] ")); data++; length--;
+ show +
46
47
48
49
50
51
} break; case EGRESS_VLAN_NAME: ND_PRINT((ndo, "%s (0x%02x) ", tok2str(rfc4675_tagged,"Unknown tag",*data), *data));
+ show +
52
53
54
55
56
57
58
59
60
61
data++; length--; break; } for (i=0; *data && i < length ; i++, data++) ND_PRINT((ndo, "%c", (*data < 32 || *data > 126) ? '.' : *data)); return;

[tcpdump_CVE-2017-13032_1490222282_print_attr_string.diff] print_attr_string_OLD.c #4
break; } - for (i=0; *data && i < length ; i++, data++) + for (i=0; i < length && *data; i++, data++) ND_PRINT((ndo, "%c", (*data < 32 || *data > 126) ? '.' : *data)); return;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13032_before_1mo_1473623126_print_attr_string.c
44
45
46
47
48
49
50
51
52
53
data++; length--; } break; case EGRESS_VLAN_NAME: ND_PRINT((ndo, "%s (0x%02x) ", tok2str(rfc4675_tagged,"Unknown tag",*data), *data)); data++; length--;
+ show +
54
55
56
57
58
59
60
break; } for (i=0; *data && i < length ; i++, data++) ND_PRINT((ndo, "%c", (*data < 32 || *data > 126) ? '.' : *data)); return;
+ show +
61
62
63
64
trunc: ND_PRINT((ndo, "%s", tstr)); }

[tcpdump_CVE-2017-13036_1490313318_ospf6_decode_v3.diff] ospf6_decode_v3_OLD.c #1
case OSPF_TYPE_HELLO: { register const struct hello6 *hellop = (const struct hello6 *)((const uint8_t *)op + OSPF6HDR_LEN); + ND_TCHECK_32BITS(&hellop->hello_options); ND_PRINT((ndo, "\n\tOptions [%s]", bittok2str(ospf6_option_values, "none", EXTRACT_32BITS(&hellop->hello_options))));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13036_before_1mo_1441831358_ospf6_decode_v3.c
4
5
6
7
8
9
10
11
12
13
register const u_char *dataend) { register const rtrid_t *ap; register const struct lsr6 *lsrp; register const struct lsa6_hdr *lshp; register const struct lsa6 *lsap; register int i; switch (op->ospf6_type) {
+ show +
14
15
16
17
18
19
case OSPF_TYPE_HELLO: { register const struct hello6 *hellop = (const struct hello6 *)((const uint8_t *)op + OSPF6HDR_LEN); ND_PRINT((ndo, "\n\tOptions [%s]", bittok2str(ospf6_option_values, "none", EXTRACT_32BITS(&hellop->hello_options))));
+ show +
20
21
22
23
24
25
26
27
28
29
ND_TCHECK(hellop->hello_deadint); ND_PRINT((ndo, "\n\t Hello Timer %us, Dead Timer %us, Interface-ID %s, Priority %u", EXTRACT_16BITS(&hellop->hello_helloint), EXTRACT_16BITS(&hellop->hello_deadint), ipaddr_string(ndo, &hellop->hello_ifid), hellop->hello_priority)); ND_TCHECK(hellop->hello_dr); if (EXTRACT_32BITS(&hellop->hello_dr) != 0)

[tcpdump_CVE-2017-13037_1490406129_ip_printts.diff] ip_printts_OLD.c #1
-static void +static int ip_printts(netdissect_options *ndo, register const u_char *cp, u_int length) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13037_before_1mo_1436060711_ip_printts.c
+ show +
1
2
3
4
static void ip_printts(netdissect_options *ndo, register const u_char *cp, u_int length) {
+ show +
5
6
7
8
9
10
11
12
13
14
register u_int ptr; register u_int len; int hoplen; const char *type; if (length < 4) { ND_PRINT((ndo, "[bad length %u]", length)); return; } ND_PRINT((ndo, " TS{"));

[tcpdump_CVE-2017-13037_1490406129_ip_printts.diff] ip_printts_OLD.c #2
if (length < 4) { ND_PRINT((ndo, "[bad length %u]", length)); - return; + return (0); } ND_PRINT((ndo, " TS{")); hoplen = ((cp[3]&0xF) != IPOPT_TS_TSONLY) ? 8 : 4; if ((length - 4) & (hoplen-1)) ND_PRINT((ndo, "[bad length %u]", length)); + ND_TCHECK(cp[2]); ptr = cp[2] - 1; len = 0; if (ptr < 4 || ((ptr - 4) & (hoplen-1)) || ptr > length + 1) ND_PRINT((ndo, "[bad ptr %u]", cp[2])); + ND_TCHECK(cp[3]); switch (cp[3]&0xF) { case IPOPT_TS_TSONLY: ND_PRINT((ndo, "TSONLY"));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13037_before_1mo_1436060711_ip_printts.c
1
2
3
4
5
6
7
8
9
static void ip_printts(netdissect_options *ndo, register const u_char *cp, u_int length) { register u_int ptr; register u_int len; int hoplen; const char *type;
+ show +
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
if (length < 4) { ND_PRINT((ndo, "[bad length %u]", length)); return; } ND_PRINT((ndo, " TS{")); hoplen = ((cp[3]&0xF) != IPOPT_TS_TSONLY) ? 8 : 4; if ((length - 4) & (hoplen-1)) ND_PRINT((ndo, "[bad length %u]", length)); ptr = cp[2] - 1; len = 0; if (ptr < 4 || ((ptr - 4) & (hoplen-1)) || ptr > length + 1) ND_PRINT((ndo, "[bad ptr %u]", cp[2])); switch (cp[3]&0xF) { case IPOPT_TS_TSONLY: ND_PRINT((ndo, "TSONLY"));
+ show +
25
26
27
28
29
30
31
32
33
34
break; case IPOPT_TS_TSANDADDR: ND_PRINT((ndo, "TS+ADDR")); break; /* * prespecified should really be 3, but some ones might send 2 * instead, and the IPOPT_TS_PRESPEC constant can apparently * have both values, so we have to hard-code it here. */

[tcpdump_CVE-2017-13037_1490406129_ip_printts.diff] ip_printts_OLD.c #3
for (len = 4; len < length; len += hoplen) { if (ptr == len) type = " ^ "; + ND_TCHECK2(cp[len], hoplen); ND_PRINT((ndo, "%s%d@%s", type, EXTRACT_32BITS(&cp[len+hoplen-4]), hoplen!=8 ? "" : ipaddr_string(ndo, &cp[len]))); type = " ";
.\cloneFuncs\totalClone\Type-1\CVE-2017-13037_before_1mo_1436060711_ip_printts.c
37
38
39
40
41
42
43
44
45
46
break; case 3: /* IPOPT_TS_PRESPEC */ ND_PRINT((ndo, "PRESPEC")); break; default: ND_PRINT((ndo, "[bad ts type %d]", cp[3]&0xF)); goto done; } type = " ";
+ show +
47
48
49
50
51
52
for (len = 4; len < length; len += hoplen) { if (ptr == len) type = " ^ "; ND_PRINT((ndo, "%s%d@%s", type, EXTRACT_32BITS(&cp[len+hoplen-4]), hoplen!=8 ? "" : ipaddr_string(ndo, &cp[len]))); type = " ";
+ show +
53
54
55
56
57
58
59
60
61
62
} done: ND_PRINT((ndo, "%s", ptr == len ? " ^ " : "")); if (cp[3]>>4) ND_PRINT((ndo, " [%d hops not recorded]} ", cp[3]>>4)); else ND_PRINT((ndo, "}")); }

[tcpdump_CVE-2017-13039_1497240415_ikev1_attrmap_print.diff] ikev1_attrmap_print_OLD.c #1
static const u_char * ikev1_attrmap_print(netdissect_options *ndo, - const u_char *p, const u_char *ep, + const u_char *p, const u_char *ep2, const struct attrmap *map, size_t nmap) { int totlen; uint32_t t, v; + ND_TCHECK(p[0]); if (p[0] & 0x80) totlen = 4; - else + else { + ND_TCHECK_16BITS(&p[2]); totlen = 4 + EXTRACT_16BITS(&p[2]); - if (ep < p + totlen) { + } + if (ep2 < p + totlen) { ND_PRINT((ndo,"[|attr]")); - return ep + 1; + return ep2 + 1; } + ND_TCHECK_16BITS(&p[0]); ND_PRINT((ndo,"(")); t = EXTRACT_16BITS(&p[0]) & 0x7fff; if (map && t < nmap && map[t].type)
.\cloneFuncs\totalClone\Type-1\CVE-2017-13039_before_1mo_1484516966_ikev1_attrmap_print.c
+ show +
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
static const u_char * ikev1_attrmap_print(netdissect_options *ndo, const u_char *p, const u_char *ep, const struct attrmap *map, size_t nmap) { int totlen; uint32_t t, v; if (p[0] & 0x80) totlen = 4; else totlen = 4 + EXTRACT_16BITS(&p[2]); if (ep < p + totlen) { ND_PRINT((ndo,"[|attr]")); return ep + 1; } ND_PRINT((ndo,"(")); t = EXTRACT_16BITS(&p[0]) & 0x7fff; if (map && t < nmap && map[t].type)
+ show +
21
22
23
24
25
26
27
28
29
30
ND_PRINT((ndo,"type=%s ", map[t].type)); else ND_PRINT((ndo,"type=#%d ", t)); if (p[0] & 0x80) { ND_PRINT((ndo,"value=")); v = EXTRACT_16BITS(&p[2]); if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) ND_PRINT((ndo,"%s", map[t].value[v])); else rawprint(ndo, (const uint8_t *)&p[2], 2);

[tcpdump_CVE-2017-13039_1497240415_ikev1_n_print.diff] ikev1_n_print_OLD.c #1
size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); ND_PRINT((ndo," attrs=(")); while (cp < ep && cp < ep2) { - cp = ikev1_attrmap_print(ndo, cp, - (ep < ep2) ? ep : ep2, map, nmap); + cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); + if (cp == NULL) { + ND_PRINT((ndo,")")); + goto trunc; + } } ND_PRINT((ndo,")")); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13039_before_imd_1486420430_ikev1_n_print.c
101
102
103
104
105
106
107
108
109
110
} cp = (const u_char *)(p + 1) + n.spi_size; ep2 = (const u_char *)p + item_len; if (cp < ep) { switch (ntohs(n.type)) { case IPSECDOI_NTYPE_RESPONDER_LIFETIME: { const struct attrmap *map = oakley_t_map;
+ show +
111
112
113
114
115
116
117
118
size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); ND_PRINT((ndo," attrs=(")); while (cp < ep && cp < ep2) { cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, map, nmap); } ND_PRINT((ndo,")")); break;
+ show +
119
120
121
122
123
124
125
126
127
128
} case IPSECDOI_NTYPE_REPLAY_STATUS: ND_PRINT((ndo," status=(")); ND_PRINT((ndo,"replay detection %sabled", EXTRACT_32BITS(cp) ? "en" : "dis")); ND_PRINT((ndo,")")); break; default: /* * XXX - fill in more types here; see, for example,

[tcpdump_CVE-2017-13040_1497305058_mp_capable_print.diff] mp_capable_print_OLD.c #1
{ const struct mp_capable *mpc = (const struct mp_capable *) opt; - if (!(opt_len == 12 && flags & TH_SYN) && + if (!(opt_len == 12 && (flags & TH_SYN)) && !(opt_len == 20 && (flags & (TH_SYN | TH_ACK)) == TH_ACK)) return 0;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13040_before_1mo_1442527004_mp_capable_print.c
1
2
3
static int mp_capable_print(netdissect_options *ndo, const u_char *opt, u_int opt_len, u_char flags)
+ show +
4
5
6
7
8
9
{ const struct mp_capable *mpc = (const struct mp_capable *) opt; if (!(opt_len == 12 && flags & TH_SYN) && !(opt_len == 20 && (flags & (TH_SYN | TH_ACK)) == TH_ACK)) return 0;
+ show +
10
11
12
13
14
15
16
17
18
19
if (MP_CAPABLE_OPT_VERSION(mpc->sub_ver) != 0) { ND_PRINT((ndo, " Unknown Version (%d)", MP_CAPABLE_OPT_VERSION(mpc->sub_ver))); return 1; } if (mpc->flags & MP_CAPABLE_C) ND_PRINT((ndo, " csum")); ND_PRINT((ndo, " {0x%" PRIx64, EXTRACT_64BITS(mpc->sender_key))); if (opt_len == 20) /* ACK */

[tcpdump_CVE-2017-13040_1497305058_mp_join_print.diff] mp_join_print_OLD.c #1
{ const struct mp_join *mpj = (const struct mp_join *) opt; - if (!(opt_len == 12 && flags & TH_SYN) && + if (!(opt_len == 12 && (flags & TH_SYN)) && !(opt_len == 16 && (flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) && - !(opt_len == 24 && flags & TH_ACK)) + !(opt_len == 24 && (flags & TH_ACK))) return 0; if (opt_len != 24) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13040_before_1mo_1442527004_mp_join_print.c
1
2
3
static int mp_join_print(netdissect_options *ndo, const u_char *opt, u_int opt_len, u_char flags)
+ show +
4
5
6
7
8
9
10
11
12
{ const struct mp_join *mpj = (const struct mp_join *) opt; if (!(opt_len == 12 && flags & TH_SYN) && !(opt_len == 16 && (flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) && !(opt_len == 24 && flags & TH_ACK)) return 0; if (opt_len != 24) {
+ show +
13
14
15
16
17
18
19
20
21
22
if (mpj->sub_b & MP_JOIN_B) ND_PRINT((ndo, " backup")); ND_PRINT((ndo, " id %u", mpj->addr_id)); } switch (opt_len) { case 12: /* SYN */ ND_PRINT((ndo, " token 0x%x" " nonce 0x%x", EXTRACT_32BITS(mpj->u.syn.token), EXTRACT_32BITS(mpj->u.syn.nonce)));

[tcpdump_CVE-2017-13041_1497330972_icmp6_nodeinfo_print.diff] icmp6_nodeinfo_print_OLD.c #1
needcomma = 0; + ND_TCHECK2(*dp, sizeof(*ni6)); ni6 = (const struct icmp6_nodeinfo *)dp; ND_PRINT((ndo," node information reply")); ND_PRINT((ndo," (")); /*)*/
.\cloneFuncs\totalClone\Type-1\CVE-2017-13041_before_1mo_1476009768_icmp6_nodeinfo_print.c
125
126
127
128
129
130
131
132
133
134
/*(*/ ND_PRINT((ndo,")")); break; case ICMP6_NI_REPLY: if (icmp6len > siz) { ND_PRINT((ndo,"[|icmp6: node information reply]")); break; }
+ show +
135
136
137
138
139
needcomma = 0; ni6 = (const struct icmp6_nodeinfo *)dp; ND_PRINT((ndo," node information reply")); ND_PRINT((ndo," (")); /*)*/
+ show +
140
141
142
143
144
145
146
147
148
149
switch (ni6->ni_code) { case ICMP6_NI_SUCCESS: if (ndo->ndo_vflag) { ND_PRINT((ndo,"success")); needcomma++; } break; case ICMP6_NI_REFUSED: ND_PRINT((ndo,"refused")); needcomma++;

[tcpdump_CVE-2017-13041_1497330972_icmp6_nodeinfo_print.diff] icmp6_nodeinfo_print_OLD.c #2
ND_PRINT((ndo,", ")); ND_PRINT((ndo,"DNS name")); cp = (const u_char *)(ni6 + 1) + 4; + ND_TCHECK(cp[0]); if (cp[0] == ep - cp - 1) { /* icmp-name-lookup-03, pascal string */ if (ndo->ndo_vflag)
.\cloneFuncs\totalClone\Type-1\CVE-2017-13041_before_1mo_1476009768_icmp6_nodeinfo_print.c
178
179
180
181
182
183
184
185
186
187
case NI_QTYPE_SUPTYPES: if (needcomma) ND_PRINT((ndo,", ")); ND_PRINT((ndo,"supported qtypes")); i = EXTRACT_16BITS(&ni6->ni_flags); if (i) ND_PRINT((ndo," [%s]", (i & 0x01) ? "C" : "")); break; case NI_QTYPE_FQDN: if (needcomma)
+ show +
188
189
190
191
192
193
ND_PRINT((ndo,", ")); ND_PRINT((ndo,"DNS name")); cp = (const u_char *)(ni6 + 1) + 4; if (cp[0] == ep - cp - 1) { /* icmp-name-lookup-03, pascal string */ if (ndo->ndo_vflag)
+ show +
194
195
196
197
198
199
200
201
202
203
ND_PRINT((ndo,", 03 draft")); cp++; ND_PRINT((ndo,", \"")); while (cp < ep) { safeputchar(ndo, *cp); cp++; } ND_PRINT((ndo,"\"")); } else dnsname_print(ndo, cp, ep);

[tcpdump_CVE-2017-13042_1501350758_dhcpv6_print.diff] dhcpv6_print_OLD.c #1
i = 0; while (i < length) { + if (i + 4 > length) + return -1; tlv = cp + i; type = EXTRACT_16BITS(tlv); optlen = EXTRACT_16BITS(tlv + 2);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13042_before_1mo_1477851340_dhcpv6_print.c
1
2
3
4
5
6
7
8
static int dhcpv6_print(netdissect_options *ndo, const u_char *cp, u_int length, int indent) { u_int i, t; const u_char *tlv, *value; uint16_t type, optlen;
+ show +
9
10
11
12
13
i = 0; while (i < length) { tlv = cp + i; type = EXTRACT_16BITS(tlv); optlen = EXTRACT_16BITS(tlv + 2);
+ show +
14
15
16
17
18
19
20
21
22
23
value = tlv + 4; ND_PRINT((ndo, "\n")); for (t = indent; t > 0; t--) ND_PRINT((ndo, "\t")); ND_PRINT((ndo, "%s", tok2str(dh6opt_str, "Unknown", type))); ND_PRINT((ndo," (%u)", optlen + 4 )); switch (type) {

[tcpdump_CVE-2017-13042_1501350758_dhcpv6_print.diff] dhcpv6_print_OLD.c #2
ND_PRINT((ndo, "%s", tok2str(dh6opt_str, "Unknown", type))); ND_PRINT((ndo," (%u)", optlen + 4 )); + if (i + 4 + optlen > length) + return -1; switch (type) { case DH6OPT_DNS_SERVERS:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13042_before_1mo_1477851340_dhcpv6_print.c
10
11
12
13
14
15
16
17
18
19
while (i < length) { tlv = cp + i; type = EXTRACT_16BITS(tlv); optlen = EXTRACT_16BITS(tlv + 2); value = tlv + 4; ND_PRINT((ndo, "\n")); for (t = indent; t > 0; t--) ND_PRINT((ndo, "\t"));
+ show +
20
21
22
23
24
ND_PRINT((ndo, "%s", tok2str(dh6opt_str, "Unknown", type))); ND_PRINT((ndo," (%u)", optlen + 4 )); switch (type) { case DH6OPT_DNS_SERVERS:
+ show +
25
26
27
28
29
30
31
32
33
34
case DH6OPT_SNTP_SERVERS: { if (optlen % 16 != 0) { ND_PRINT((ndo, " %s", istr)); return -1; } for (t = 0; t < optlen; t += 16) ND_PRINT((ndo, " %s", ip6addr_string(ndo, value + t))); } break; case DH6OPT_DOMAIN_LIST: {

[tcpdump_CVE-2017-13043_1501801703_decode_multicast_vpn.diff] decode_multicast_vpn_OLD.c #1
case BGP_MULTICAST_VPN_ROUTE_TYPE_SHARED_TREE_JOIN: /* fall through */ case BGP_MULTICAST_VPN_ROUTE_TYPE_SOURCE_TREE_JOIN: - ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN); + ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN + 4); offset = strlen(buf); snprintf(buf + offset, buflen - offset, ", RD: %s, Source-AS %s", bgp_vpn_rd_print(ndo, pptr), as_printf(ndo, astostr, sizeof(astostr), EXTRACT_32BITS(pptr + BGP_VPN_RD_LEN))); - pptr += BGP_VPN_RD_LEN; + pptr += BGP_VPN_RD_LEN + 4; bgp_vpn_sg_print(ndo, pptr, buf, buflen); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13043_before_1mo_1496137922_decode_multicast_vpn.c
51
52
53
54
55
56
57
58
59
60
case BGP_MULTICAST_VPN_ROUTE_TYPE_SOURCE_ACTIVE: ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN); offset = strlen(buf); snprintf(buf + offset, buflen - offset, ", RD: %s", bgp_vpn_rd_print(ndo, pptr)); pptr += BGP_VPN_RD_LEN; bgp_vpn_sg_print(ndo, pptr, buf, buflen); break;
+ show +
61
62
63
64
65
66
67
68
69
70
71
72
case BGP_MULTICAST_VPN_ROUTE_TYPE_SHARED_TREE_JOIN: /* fall through */ case BGP_MULTICAST_VPN_ROUTE_TYPE_SOURCE_TREE_JOIN: ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN); offset = strlen(buf); snprintf(buf + offset, buflen - offset, ", RD: %s, Source-AS %s", bgp_vpn_rd_print(ndo, pptr), as_printf(ndo, astostr, sizeof(astostr), EXTRACT_32BITS(pptr + BGP_VPN_RD_LEN))); pptr += BGP_VPN_RD_LEN; bgp_vpn_sg_print(ndo, pptr, buf, buflen); break;
+ show +
73
74
75
76
77
78
79
80
81
82
/* * no per route-type printing yet. */ case BGP_MULTICAST_VPN_ROUTE_TYPE_INTRA_AS_SEG_LEAF: default: break; } return route_length + 2;

[tcpdump_CVE-2017-13044_1501361135_dhcpv4_print.diff] dhcpv4_print_OLD.c #1
i = 0; while (i < length) { + if (i + 2 > length) + return -1; tlv = cp + i; type = (uint8_t)tlv[0]; optlen = (uint8_t)tlv[1];
.\cloneFuncs\totalClone\Type-1\CVE-2017-13044_before_1mo_1477851340_dhcpv4_print.c
1
2
3
4
5
6
7
8
static int dhcpv4_print(netdissect_options *ndo, const u_char *cp, u_int length, int indent) { u_int i, t; const u_char *tlv, *value; uint8_t type, optlen;
+ show +
9
10
11
12
13
i = 0; while (i < length) { tlv = cp + i; type = (uint8_t)tlv[0]; optlen = (uint8_t)tlv[1];
+ show +
14
15
16
17
18
19
20
21
22
23
value = tlv + 2; ND_PRINT((ndo, "\n")); for (t = indent; t > 0; t--) ND_PRINT((ndo, "\t")); ND_PRINT((ndo, "%s", tok2str(dh4opt_str, "Unknown", type))); ND_PRINT((ndo," (%u)", optlen + 2 )); switch (type) {

[tcpdump_CVE-2017-13044_1501361135_dhcpv4_print.diff] dhcpv4_print_OLD.c #2
ND_PRINT((ndo, "%s", tok2str(dh4opt_str, "Unknown", type))); ND_PRINT((ndo," (%u)", optlen + 2 )); + if (i + 2 + optlen > length) + return -1; switch (type) { case DH4OPT_DNS_SERVERS:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13044_before_1mo_1477851340_dhcpv4_print.c
10
11
12
13
14
15
16
17
18
19
while (i < length) { tlv = cp + i; type = (uint8_t)tlv[0]; optlen = (uint8_t)tlv[1]; value = tlv + 2; ND_PRINT((ndo, "\n")); for (t = indent; t > 0; t--) ND_PRINT((ndo, "\t"));
+ show +
20
21
22
23
24
ND_PRINT((ndo, "%s", tok2str(dh4opt_str, "Unknown", type))); ND_PRINT((ndo," (%u)", optlen + 2 )); switch (type) { case DH4OPT_DNS_SERVERS:
+ show +
25
26
27
28
29
30
31
32
33
34
case DH4OPT_NTP_SERVERS: { if (optlen < 4 || optlen % 4 != 0) { return -1; } for (t = 0; t < optlen; t += 4) ND_PRINT((ndo, " %s", ipaddr_string(ndo, value + t))); } break; case DH4OPT_DOMAIN_SEARCH: { const u_char *tp = value;

[tcpdump_CVE-2017-13045_1501366860_vqp_print.diff] vqp_print_OLD.c #1
const u_char *tptr; uint16_t vqp_obj_len; uint32_t vqp_obj_type; - int tlen; + u_int tlen; uint8_t nitems; tptr=pptr; tlen = len; vqp_common_header = (const struct vqp_common_header_t *)pptr; ND_TCHECK(*vqp_common_header); + if (sizeof(struct vqp_common_header_t) > tlen) + goto trunc; /* * Sanity checking of the header.
.\cloneFuncs\totalClone\Type-1\CVE-2017-13045_before_1mo_1441831358_vqp_print.c
1
2
3
4
5
6
void vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int len) { const struct vqp_common_header_t *vqp_common_header; const struct vqp_obj_tlv_t *vqp_obj_tlv;
+ show +
7
8
9
10
11
12
13
14
15
16
17
18
19
const u_char *tptr; uint16_t vqp_obj_len; uint32_t vqp_obj_type; int tlen; uint8_t nitems; tptr=pptr; tlen = len; vqp_common_header = (const struct vqp_common_header_t *)pptr; ND_TCHECK(*vqp_common_header); /* * Sanity checking of the header.
+ show +
20
21
22
23
24
25
26
27
28
29
*/ if (VQP_EXTRACT_VERSION(vqp_common_header->version) != VQP_VERSION) { ND_PRINT((ndo, "VQP version %u packet not supported", VQP_EXTRACT_VERSION(vqp_common_header->version))); return; } /* in non-verbose mode just lets print the basic Message Type */ if (ndo->ndo_vflag < 1) { ND_PRINT((ndo, "VQPv%u %s Message, error-code %s (%u), length %u",

[tcpdump_CVE-2017-13045_1501366860_vqp_print.diff] vqp_print_OLD.c #2
while (nitems > 0 && tlen > 0) { vqp_obj_tlv = (const struct vqp_obj_tlv_t *)tptr; + ND_TCHECK(*vqp_obj_tlv); + if (sizeof(struct vqp_obj_tlv_t) > tlen) + goto trunc; vqp_obj_type = EXTRACT_32BITS(vqp_obj_tlv->obj_type); vqp_obj_len = EXTRACT_16BITS(vqp_obj_tlv->obj_length); tptr+=sizeof(struct vqp_obj_tlv_t);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13045_before_1mo_1441831358_vqp_print.c
43
44
45
46
47
48
49
50
51
52
tok2str(vqp_error_code_values, "unknown (%u)",vqp_common_header->error_code), vqp_common_header->error_code, EXTRACT_32BITS(&vqp_common_header->sequence), nitems, len)); /* skip VQP Common header */ tptr+=sizeof(const struct vqp_common_header_t); tlen-=sizeof(const struct vqp_common_header_t);
+ show +
53
54
55
56
57
58
while (nitems > 0 && tlen > 0) { vqp_obj_tlv = (const struct vqp_obj_tlv_t *)tptr; vqp_obj_type = EXTRACT_32BITS(vqp_obj_tlv->obj_type); vqp_obj_len = EXTRACT_16BITS(vqp_obj_tlv->obj_length); tptr+=sizeof(struct vqp_obj_tlv_t);
+ show +
59
60
61
62
63
64
65
66
67
68
tlen-=sizeof(struct vqp_obj_tlv_t); ND_PRINT((ndo, "\n\t %s Object (0x%08x), length %u, value: ", tok2str(vqp_obj_values, "Unknown", vqp_obj_type), vqp_obj_type, vqp_obj_len)); /* basic sanity check */ if (vqp_obj_type == 0 || vqp_obj_len ==0) { return; }

[tcpdump_CVE-2017-13045_1501366860_vqp_print.diff] vqp_print_OLD.c #3
/* did we capture enough for fully decoding the object ? */ ND_TCHECK2(*tptr, vqp_obj_len); + if (vqp_obj_len > tlen) + goto trunc; switch(vqp_obj_type) { case VQP_OBJ_IP_ADDRESS: + if (vqp_obj_len != 4) + goto trunc; ND_PRINT((ndo, "%s (0x%08x)", ipaddr_string(ndo, tptr), EXTRACT_32BITS(tptr))); break; /* those objects have similar semantics - fall through */
.\cloneFuncs\totalClone\Type-1\CVE-2017-13045_before_1mo_1441831358_vqp_print.c
60
61
62
63
64
65
66
67
68
69
ND_PRINT((ndo, "\n\t %s Object (0x%08x), length %u, value: ", tok2str(vqp_obj_values, "Unknown", vqp_obj_type), vqp_obj_type, vqp_obj_len)); /* basic sanity check */ if (vqp_obj_type == 0 || vqp_obj_len ==0) { return; }
+ show +
70
71
72
73
74
75
76
77
/* did we capture enough for fully decoding the object ? */ ND_TCHECK2(*tptr, vqp_obj_len); switch(vqp_obj_type) { case VQP_OBJ_IP_ADDRESS: ND_PRINT((ndo, "%s (0x%08x)", ipaddr_string(ndo, tptr), EXTRACT_32BITS(tptr))); break; /* those objects have similar semantics - fall through */
+ show +
78
79
80
81
82
83
84
85
86
87
case VQP_OBJ_PORT_NAME: case VQP_OBJ_VLAN_NAME: case VQP_OBJ_VTP_DOMAIN: case VQP_OBJ_ETHERNET_PKT: safeputs(ndo, tptr, vqp_obj_len); break; /* those objects have similar semantics - fall through */ case VQP_OBJ_MAC_ADDRESS: case VQP_OBJ_MAC_NULL: ND_PRINT((ndo, "%s", etheraddr_string(ndo, tptr)));

[tcpdump_CVE-2017-13045_1501366860_vqp_print.diff] vqp_print_OLD.c #4
/* those objects have similar semantics - fall through */ case VQP_OBJ_MAC_ADDRESS: case VQP_OBJ_MAC_NULL: + if (vqp_obj_len != ETHER_ADDR_LEN) + goto trunc; ND_PRINT((ndo, "%s", etheraddr_string(ndo, tptr))); break; default:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13045_before_1mo_1441831358_vqp_print.c
74
75
76
77
78
79
80
81
82
83
case VQP_OBJ_IP_ADDRESS: ND_PRINT((ndo, "%s (0x%08x)", ipaddr_string(ndo, tptr), EXTRACT_32BITS(tptr))); break; /* those objects have similar semantics - fall through */ case VQP_OBJ_PORT_NAME: case VQP_OBJ_VLAN_NAME: case VQP_OBJ_VTP_DOMAIN: case VQP_OBJ_ETHERNET_PKT: safeputs(ndo, tptr, vqp_obj_len); break;
+ show +
84
85
86
87
88
89
/* those objects have similar semantics - fall through */ case VQP_OBJ_MAC_ADDRESS: case VQP_OBJ_MAC_NULL: ND_PRINT((ndo, "%s", etheraddr_string(ndo, tptr))); break; default:
+ show +
90
91
92
93
94
95
96
97
98
99
if (ndo->ndo_vflag <= 1) print_unknown_data(ndo,tptr, "\n\t ", vqp_obj_len); break; } tptr += vqp_obj_len; tlen -= vqp_obj_len; nitems--; } return; trunc:

[tcpdump_CVE-2017-13048_1502041509_rsvp_obj_print.diff] rsvp_obj_print_OLD.c #1
case RSVP_OBJ_FASTREROUTE: /* the differences between c-type 1 and 7 are minor */ obj_ptr.rsvp_obj_frr = (const struct rsvp_obj_frr_t *)obj_tptr; - bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth); switch(rsvp_obj_ctype) { case RSVP_CTYPE_1: /* new style */ if (obj_tlen < sizeof(struct rsvp_obj_frr_t)) return-1; + bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth); ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps", ident, (int)obj_ptr.rsvp_obj_frr->setup_prio,
.\cloneFuncs\totalClone\Type-1\CVE-2017-13048_before_imd_1501256652_rsvp_obj_print.c
804
805
806
807
808
809
810
811
812
813
ipaddr_string(ndo, obj_tptr+8), EXTRACT_16BITS(obj_tptr + 12))); obj_tlen-=16; obj_tptr+=16; break; default: hexdump=TRUE; } break;
+ show +
814
815
816
817
818
819
820
821
822
823
824
825
case RSVP_OBJ_FASTREROUTE: /* the differences between c-type 1 and 7 are minor */ obj_ptr.rsvp_obj_frr = (const struct rsvp_obj_frr_t *)obj_tptr; bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth); switch(rsvp_obj_ctype) { case RSVP_CTYPE_1: /* new style */ if (obj_tlen < sizeof(struct rsvp_obj_frr_t)) return-1; ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps", ident, (int)obj_ptr.rsvp_obj_frr->setup_prio,
+ show +
826
827
828
829
830
831
832
833
834
835
(int)obj_ptr.rsvp_obj_frr->hold_prio, (int)obj_ptr.rsvp_obj_frr->hop_limit, bw.f * 8 / 1000000)); ND_PRINT((ndo, "%s Include-any: 0x%08x, Exclude-any: 0x%08x, Include-all: 0x%08x", ident, EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->exclude_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_all))); obj_tlen-=sizeof(struct rsvp_obj_frr_t); obj_tptr+=sizeof(struct rsvp_obj_frr_t);
.\cloneFuncs\totalClone\Type-3\CVE-2017-13048_before_1mo_1475706616_rsvp_obj_print.c
804
805
806
807
808
809
810
811
812
813
ipaddr_string(ndo, obj_tptr+8), EXTRACT_16BITS(obj_tptr + 12))); obj_tlen-=16; obj_tptr+=16; break; default: hexdump=TRUE; } break;
+ show +
814
815
816
817
818
819
820
821
822
823
824
825
case RSVP_OBJ_FASTREROUTE: /* the differences between c-type 1 and 7 are minor */ obj_ptr.rsvp_obj_frr = (const struct rsvp_obj_frr_t *)obj_tptr; bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth); switch(rsvp_obj_ctype) { case RSVP_CTYPE_1: /* new style */ if (obj_tlen < sizeof(struct rsvp_obj_frr_t)) return-1; ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps", ident, (int)obj_ptr.rsvp_obj_frr->setup_prio,
+ show +
826
827
828
829
830
831
832
833
834
835
(int)obj_ptr.rsvp_obj_frr->hold_prio, (int)obj_ptr.rsvp_obj_frr->hop_limit, bw.f * 8 / 1000000)); ND_PRINT((ndo, "%s Include-any: 0x%08x, Exclude-any: 0x%08x, Include-all: 0x%08x", ident, EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->exclude_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_all))); obj_tlen-=sizeof(struct rsvp_obj_frr_t); obj_tptr+=sizeof(struct rsvp_obj_frr_t);

[tcpdump_CVE-2017-13048_1502041509_rsvp_obj_print.diff] rsvp_obj_print_OLD.c #2
case RSVP_CTYPE_TUNNEL_IPV4: /* old style */ if (obj_tlen < 16) return-1; + bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth); ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps", ident, (int)obj_ptr.rsvp_obj_frr->setup_prio,
.\cloneFuncs\totalClone\Type-1\CVE-2017-13048_before_imd_1501256652_rsvp_obj_print.c
828
829
830
831
832
833
834
835
836
837
bw.f * 8 / 1000000)); ND_PRINT((ndo, "%s Include-any: 0x%08x, Exclude-any: 0x%08x, Include-all: 0x%08x", ident, EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->exclude_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_all))); obj_tlen-=sizeof(struct rsvp_obj_frr_t); obj_tptr+=sizeof(struct rsvp_obj_frr_t); break;
+ show +
838
839
840
841
842
843
case RSVP_CTYPE_TUNNEL_IPV4: /* old style */ if (obj_tlen < 16) return-1; ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps", ident, (int)obj_ptr.rsvp_obj_frr->setup_prio,
+ show +
844
845
846
847
848
849
850
851
852
853
(int)obj_ptr.rsvp_obj_frr->hold_prio, (int)obj_ptr.rsvp_obj_frr->hop_limit, bw.f * 8 / 1000000)); ND_PRINT((ndo, "%s Include Colors: 0x%08x, Exclude Colors: 0x%08x", ident, EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->exclude_any))); obj_tlen-=16; obj_tptr+=16; break;
.\cloneFuncs\totalClone\Type-3\CVE-2017-13048_before_1mo_1475706616_rsvp_obj_print.c
828
829
830
831
832
833
834
835
836
837
bw.f * 8 / 1000000)); ND_PRINT((ndo, "%s Include-any: 0x%08x, Exclude-any: 0x%08x, Include-all: 0x%08x", ident, EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->exclude_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_all))); obj_tlen-=sizeof(struct rsvp_obj_frr_t); obj_tptr+=sizeof(struct rsvp_obj_frr_t); break;
+ show +
838
839
840
841
842
843
case RSVP_CTYPE_TUNNEL_IPV4: /* old style */ if (obj_tlen < 16) return-1; ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps", ident, (int)obj_ptr.rsvp_obj_frr->setup_prio,
+ show +
844
845
846
847
848
849
850
851
852
853
(int)obj_ptr.rsvp_obj_frr->hold_prio, (int)obj_ptr.rsvp_obj_frr->hop_limit, bw.f * 8 / 1000000)); ND_PRINT((ndo, "%s Include Colors: 0x%08x, Exclude Colors: 0x%08x", ident, EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->include_any), EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->exclude_any))); obj_tlen-=16; obj_tptr+=16; break;

[tcpdump_CVE-2017-13049_1501863307_ubik_print.diff] ubik_print_OLD.c #1
INTOUT(); ND_PRINT((ndo, " length")); INTOUT(); + ND_TCHECK_32BITS(bp); temp = EXTRACT_32BITS(bp); bp += sizeof(int32_t); tok2str(ubik_lock_types, "type %d", temp);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13049_before_1mo_1472129825_ubik_print.c
44
45
46
47
48
49
50
51
52
53
case 20010: /* Writev */ ND_PRINT((ndo, " tid")); UBIK_VERSIONOUT(); break; case 20002: /* Lock */ ND_PRINT((ndo, " tid")); UBIK_VERSIONOUT(); ND_PRINT((ndo, " file")); INTOUT(); ND_PRINT((ndo, " pos"));
+ show +
54
55
56
57
58
59
INTOUT(); ND_PRINT((ndo, " length")); INTOUT(); temp = EXTRACT_32BITS(bp); bp += sizeof(int32_t); tok2str(ubik_lock_types, "type %d", temp);
+ show +
60
61
62
63
64
65
66
67
68
69
break; case 20003: /* Write */ ND_PRINT((ndo, " tid")); UBIK_VERSIONOUT(); ND_PRINT((ndo, " file")); INTOUT(); ND_PRINT((ndo, " pos")); INTOUT(); break; case 20005: /* Get file */

[tcpdump_CVE-2017-13052_1502751932_cfm_network_addr_print.diff] cfm_network_addr_print_OLD.c #1
static int cfm_network_addr_print(netdissect_options *ndo, - register const u_char *tptr) + register const u_char *tptr, const u_int length) { u_int network_addr_type; u_int hexdump = FALSE;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_1mo_1486214606_cfm_network_addr_print.c
+ show +
1
2
3
4
5
6
static int cfm_network_addr_print(netdissect_options *ndo, register const u_char *tptr) { u_int network_addr_type; u_int hexdump = FALSE;
+ show +
7
8
9
10
11
12
13
14
15
16
/* * Altough AFIs are tpically 2 octects wide, * 802.1ab specifies that this field width * is only once octet */ network_addr_type = *tptr; ND_PRINT((ndo, "\n\t Network Address Type %s (%u)", tok2str(af_values, "Unknown", network_addr_type), network_addr_type));

[tcpdump_CVE-2017-13052_1502751932_cfm_network_addr_print.diff] cfm_network_addr_print_OLD.c #2
* 802.1ab specifies that this field width * is only once octet */ + if (length < 1) { + ND_PRINT((ndo, "\n\t Network Address Type (invalid, no data")); + return hexdump; + } + /* The calling function must make any due ND_TCHECK calls. */ network_addr_type = *tptr; ND_PRINT((ndo, "\n\t Network Address Type %s (%u)", tok2str(af_values, "Unknown", network_addr_type),
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_1mo_1486214606_cfm_network_addr_print.c
1
2
3
4
5
6
7
8
9
static int cfm_network_addr_print(netdissect_options *ndo, register const u_char *tptr) { u_int network_addr_type; u_int hexdump = FALSE; /* * Altough AFIs are tpically 2 octects wide,
+ show +
10
11
12
13
14
15
* 802.1ab specifies that this field width * is only once octet */ network_addr_type = *tptr; ND_PRINT((ndo, "\n\t Network Address Type %s (%u)", tok2str(af_values, "Unknown", network_addr_type),
+ show +
16
17
18
19
20
21
22
23
24
25
network_addr_type)); /* * Resolve the passed in Address. */ switch(network_addr_type) { case AFNUM_INET: ND_PRINT((ndo, ", %s", ipaddr_string(ndo, tptr + 1))); break;

[tcpdump_CVE-2017-13052_1502751932_cfm_network_addr_print.diff] cfm_network_addr_print_OLD.c #3
*/ switch(network_addr_type) { case AFNUM_INET: + if (length != 1 + 4) { + ND_PRINT((ndo, "(invalid IPv4 address length %u)", length - 1)); + hexdump = TRUE; + break; + } ND_PRINT((ndo, ", %s", ipaddr_string(ndo, tptr + 1))); break; case AFNUM_INET6: + if (length != 1 + 16) { + ND_PRINT((ndo, "(invalid IPv6 address length %u)", length - 1)); + hexdump = TRUE; + break; + } ND_PRINT((ndo, ", %s", ip6addr_string(ndo, tptr + 1))); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_1mo_1486214606_cfm_network_addr_print.c
10
11
12
13
14
15
16
17
18
19
* 802.1ab specifies that this field width * is only once octet */ network_addr_type = *tptr; ND_PRINT((ndo, "\n\t Network Address Type %s (%u)", tok2str(af_values, "Unknown", network_addr_type), network_addr_type)); /* * Resolve the passed in Address.
+ show +
20
21
22
23
24
25
26
27
28
*/ switch(network_addr_type) { case AFNUM_INET: ND_PRINT((ndo, ", %s", ipaddr_string(ndo, tptr + 1))); break; case AFNUM_INET6: ND_PRINT((ndo, ", %s", ip6addr_string(ndo, tptr + 1))); break;
+ show +
29
30
31
32
33
34
35
36
default: hexdump = TRUE; break; } return hexdump; }

[tcpdump_CVE-2017-13052_1502751932_cfm_print.diff] cfm_print_OLD.c #1
if (cfm_tlv_len < 1) { ND_PRINT((ndo, " (too short, must be >= 1)")); - return; + goto next_tlv; } /* * Get the Chassis ID length and check it. + * IEEE 802.1Q-2014 Section 21.5.3.1 */ chassis_id_length = *tptr; tptr++;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_imd_1490607297_cfm_print.c
321
322
323
324
325
326
327
328
329
330
EXTRACT_24BITS(tptr), *(tptr + 3))); hexdump = TRUE; break; case CFM_TLV_SENDER_ID: { u_int chassis_id_type, chassis_id_length; u_int mgmt_addr_length;
+ show +
331
332
333
334
335
336
337
338
339
340
if (cfm_tlv_len < 1) { ND_PRINT((ndo, " (too short, must be >= 1)")); return; } /* * Get the Chassis ID length and check it. */ chassis_id_length = *tptr; tptr++;
+ show +
341
342
343
344
345
346
347
348
349
350
tlen--; cfm_tlv_len--; if (chassis_id_length) { if (cfm_tlv_len < 1) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } chassis_id_type = *tptr; cfm_tlv_len--;
.\cloneFuncs\totalClone\Type-3\CVE-2017-13052_before_1mo_1486214606_cfm_print.c
318
319
320
321
322
323
324
325
326
327
EXTRACT_24BITS(tptr), *(tptr + 3))); hexdump = TRUE; break; case CFM_TLV_SENDER_ID: { u_int chassis_id_type, chassis_id_length; u_int mgmt_addr_length;
+ show +
328
329
330
331
332
333
334
335
336
337
if (cfm_tlv_len < 1) { ND_PRINT((ndo, " (too short, must be >= 1)")); return; } /* * Get the Chassis ID length and check it. */ chassis_id_length = *tptr; tptr++;
+ show +
338
339
340
341
342
343
344
345
346
347
tlen--; cfm_tlv_len--; if (chassis_id_length) { if (cfm_tlv_len < 1) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } chassis_id_type = *tptr; cfm_tlv_len--;

[tcpdump_CVE-2017-13052_1502751932_cfm_print.diff] cfm_print_OLD.c #2
cfm_tlv_len--; if (chassis_id_length) { + /* + * IEEE 802.1Q-2014 Section 21.5.3.2: Chassis ID Subtype, references + * IEEE 802.1AB-2005 Section 9.5.2.2, subsequently + * IEEE 802.1AB-2016 Section 8.5.2.2: chassis ID subtype + */ if (cfm_tlv_len < 1) { ND_PRINT((ndo, "\n\t (TLV too short)")); - return; + goto next_tlv; } chassis_id_type = *tptr; cfm_tlv_len--;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_imd_1490607297_cfm_print.c
332
333
334
335
336
337
338
339
340
341
ND_PRINT((ndo, " (too short, must be >= 1)")); return; } /* * Get the Chassis ID length and check it. */ chassis_id_length = *tptr; tptr++; tlen--;
+ show +
342
343
344
345
346
347
348
349
350
cfm_tlv_len--; if (chassis_id_length) { if (cfm_tlv_len < 1) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } chassis_id_type = *tptr; cfm_tlv_len--;
+ show +
351
352
353
354
355
356
357
358
359
360
ND_PRINT((ndo, "\n\t Chassis-ID Type %s (%u), Chassis-ID length %u", tok2str(cfm_tlv_senderid_chassisid_values, "Unknown", chassis_id_type), chassis_id_type, chassis_id_length)); if (cfm_tlv_len < chassis_id_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return;
.\cloneFuncs\totalClone\Type-3\CVE-2017-13052_before_1mo_1486214606_cfm_print.c
329
330
331
332
333
334
335
336
337
338
ND_PRINT((ndo, " (too short, must be >= 1)")); return; } /* * Get the Chassis ID length and check it. */ chassis_id_length = *tptr; tptr++; tlen--;
+ show +
339
340
341
342
343
344
345
346
347
cfm_tlv_len--; if (chassis_id_length) { if (cfm_tlv_len < 1) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } chassis_id_type = *tptr; cfm_tlv_len--;
+ show +
348
349
350
351
352
353
354
355
356
357
ND_PRINT((ndo, "\n\t Chassis-ID Type %s (%u), Chassis-ID length %u", tok2str(cfm_tlv_senderid_chassisid_values, "Unknown", chassis_id_type), chassis_id_type, chassis_id_length)); if (cfm_tlv_len < chassis_id_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return;

[tcpdump_CVE-2017-13052_1502751932_cfm_print.diff] cfm_print_OLD.c #3
if (cfm_tlv_len < chassis_id_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); - return; + goto next_tlv; } + /* IEEE 802.1Q-2014 Section 21.5.3.3: Chassis ID */ switch (chassis_id_type) { case CFM_CHASSIS_ID_MAC_ADDRESS: + if (chassis_id_length != ETHER_ADDR_LEN) { + ND_PRINT((ndo, " (invalid MAC address length)")); + hexdump = TRUE; + break; + } ND_PRINT((ndo, "\n\t MAC %s", etheraddr_string(ndo, tptr + 1))); break; case CFM_CHASSIS_ID_NETWORK_ADDRESS: - hexdump |= cfm_network_addr_print(ndo, tptr); + hexdump |= cfm_network_addr_print(ndo, tptr + 1, chassis_id_length); break; case CFM_CHASSIS_ID_INTERFACE_NAME: /* fall through */
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_imd_1490607297_cfm_print.c
348
349
350
351
352
353
354
355
356
357
} chassis_id_type = *tptr; cfm_tlv_len--; ND_PRINT((ndo, "\n\t Chassis-ID Type %s (%u), Chassis-ID length %u", tok2str(cfm_tlv_senderid_chassisid_values, "Unknown", chassis_id_type), chassis_id_type, chassis_id_length));
+ show +
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
if (cfm_tlv_len < chassis_id_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } switch (chassis_id_type) { case CFM_CHASSIS_ID_MAC_ADDRESS: ND_PRINT((ndo, "\n\t MAC %s", etheraddr_string(ndo, tptr + 1))); break; case CFM_CHASSIS_ID_NETWORK_ADDRESS: hexdump |= cfm_network_addr_print(ndo, tptr); break; case CFM_CHASSIS_ID_INTERFACE_NAME: /* fall through */
+ show +
373
374
375
376
377
378
379
380
381
382
case CFM_CHASSIS_ID_INTERFACE_ALIAS: case CFM_CHASSIS_ID_LOCAL: case CFM_CHASSIS_ID_CHASSIS_COMPONENT: case CFM_CHASSIS_ID_PORT_COMPONENT: safeputs(ndo, tptr + 1, chassis_id_length); break; default: hexdump = TRUE; break;
.\cloneFuncs\totalClone\Type-3\CVE-2017-13052_before_1mo_1486214606_cfm_print.c
345
346
347
348
349
350
351
352
353
354
} chassis_id_type = *tptr; cfm_tlv_len--; ND_PRINT((ndo, "\n\t Chassis-ID Type %s (%u), Chassis-ID length %u", tok2str(cfm_tlv_senderid_chassisid_values, "Unknown", chassis_id_type), chassis_id_type, chassis_id_length));
+ show +
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
if (cfm_tlv_len < chassis_id_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } switch (chassis_id_type) { case CFM_CHASSIS_ID_MAC_ADDRESS: ND_PRINT((ndo, "\n\t MAC %s", etheraddr_string(ndo, tptr + 1))); break; case CFM_CHASSIS_ID_NETWORK_ADDRESS: hexdump |= cfm_network_addr_print(ndo, tptr); break; case CFM_CHASSIS_ID_INTERFACE_NAME: /* fall through */
+ show +
370
371
372
373
374
375
376
377
378
379
case CFM_CHASSIS_ID_INTERFACE_ALIAS: case CFM_CHASSIS_ID_LOCAL: case CFM_CHASSIS_ID_CHASSIS_COMPONENT: case CFM_CHASSIS_ID_PORT_COMPONENT: safeputs(ndo, tptr + 1, chassis_id_length); break; default: hexdump = TRUE; break;

[tcpdump_CVE-2017-13052_1502751932_cfm_print.diff] cfm_print_OLD.c #4
/* * Check if there is a Management Address. + * IEEE 802.1Q-2014 Section 21.5.3.4: Management Address Domain Length + * This and all subsequent fields are not present if the TLV length + * allows only the above fields. */ if (cfm_tlv_len == 0) { /* No, there isn't; we're done. */ - return; + break; } + /* Here mgmt_addr_length stands for the management domain length. */ mgmt_addr_length = *tptr; tptr++; tlen--; cfm_tlv_len--; + ND_PRINT((ndo, "\n\t Management Address Domain Length %u", mgmt_addr_length)); if (mgmt_addr_length) { + /* IEEE 802.1Q-2014 Section 21.5.3.5: Management Address Domain */ if (cfm_tlv_len < mgmt_addr_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); - return; + goto next_tlv; } cfm_tlv_len -= mgmt_addr_length; /* * XXX - this is an OID; print it as such. */ + hex_print(ndo, "\n\t Management Address Domain: ", tptr, mgmt_addr_length); tptr += mgmt_addr_length; tlen -= mgmt_addr_length; + /* + * IEEE 802.1Q-2014 Section 21.5.3.6: Management Address Length + * This field is present if Management Address Domain Length is not 0. + */ if (cfm_tlv_len < 1) { - ND_PRINT((ndo, "\n\t (TLV too short)")); - return; + ND_PRINT((ndo, " (Management Address Length is missing)")); + hexdump = TRUE; + break; } + /* Here mgmt_addr_length stands for the management address length. */ mgmt_addr_length = *tptr; tptr++; tlen--; cfm_tlv_len--; + ND_PRINT((ndo, "\n\t Management Address Length %u", mgmt_addr_length)); if (mgmt_addr_length) { + /* IEEE 802.1Q-2014 Section 21.5.3.7: Management Address */ if (cfm_tlv_len < mgmt_addr_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_imd_1490607297_cfm_print.c
380
381
382
383
384
385
386
387
388
389
default: hexdump = TRUE; break; } cfm_tlv_len -= chassis_id_length; tptr += 1 + chassis_id_length; tlen -= 1 + chassis_id_length; }
+ show +
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
/* * Check if there is a Management Address. */ if (cfm_tlv_len == 0) { /* No, there isn't; we're done. */ return; } mgmt_addr_length = *tptr; tptr++; tlen--; cfm_tlv_len--; if (mgmt_addr_length) { if (cfm_tlv_len < mgmt_addr_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } cfm_tlv_len -= mgmt_addr_length; /* * XXX - this is an OID; print it as such. */ tptr += mgmt_addr_length; tlen -= mgmt_addr_length; if (cfm_tlv_len < 1) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } mgmt_addr_length = *tptr; tptr++; tlen--; cfm_tlv_len--; if (mgmt_addr_length) { if (cfm_tlv_len < mgmt_addr_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return;
+ show +
427
428
429
430
431
432
433
434
435
436
} cfm_tlv_len -= mgmt_addr_length; /* * XXX - this is a TransportDomain; print it as such. */ tptr += mgmt_addr_length; tlen -= mgmt_addr_length; } } break;
.\cloneFuncs\totalClone\Type-3\CVE-2017-13052_before_1mo_1486214606_cfm_print.c
377
378
379
380
381
382
383
384
385
386
default: hexdump = TRUE; break; } cfm_tlv_len -= chassis_id_length; tptr += 1 + chassis_id_length; tlen -= 1 + chassis_id_length; }
+ show +
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
/* * Check if there is a Management Address. */ if (cfm_tlv_len == 0) { /* No, there isn't; we're done. */ return; } mgmt_addr_length = *tptr; tptr++; tlen--; cfm_tlv_len--; if (mgmt_addr_length) { if (cfm_tlv_len < mgmt_addr_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } cfm_tlv_len -= mgmt_addr_length; /* * XXX - this is an OID; print it as such. */ tptr += mgmt_addr_length; tlen -= mgmt_addr_length; if (cfm_tlv_len < 1) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } mgmt_addr_length = *tptr; tptr++; tlen--; cfm_tlv_len--; if (mgmt_addr_length) { if (cfm_tlv_len < mgmt_addr_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return;
+ show +
424
425
426
427
428
429
430
431
432
433
} cfm_tlv_len -= mgmt_addr_length; /* * XXX - this is a TransportDomain; print it as such. */ tptr += mgmt_addr_length; tlen -= mgmt_addr_length; } } break;

[tcpdump_CVE-2017-13052_1502751932_cfm_print.diff] cfm_print_OLD.c #5
/* * XXX - this is a TransportDomain; print it as such. */ + hex_print(ndo, "\n\t Management Address: ", tptr, mgmt_addr_length); tptr += mgmt_addr_length; tlen -= mgmt_addr_length; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_imd_1490607297_cfm_print.c
419
420
421
422
423
424
425
426
427
428
mgmt_addr_length = *tptr; tptr++; tlen--; cfm_tlv_len--; if (mgmt_addr_length) { if (cfm_tlv_len < mgmt_addr_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } cfm_tlv_len -= mgmt_addr_length;
+ show +
429
430
431
432
433
434
/* * XXX - this is a TransportDomain; print it as such. */ tptr += mgmt_addr_length; tlen -= mgmt_addr_length; }
+ show +
435
436
437
438
439
440
441
442
443
444
} break; } /* * FIXME those are the defined TLVs that lack a decoder * you are welcome to contribute code ;-) */ case CFM_TLV_DATA:
.\cloneFuncs\totalClone\Type-3\CVE-2017-13052_before_1mo_1486214606_cfm_print.c
416
417
418
419
420
421
422
423
424
425
mgmt_addr_length = *tptr; tptr++; tlen--; cfm_tlv_len--; if (mgmt_addr_length) { if (cfm_tlv_len < mgmt_addr_length) { ND_PRINT((ndo, "\n\t (TLV too short)")); return; } cfm_tlv_len -= mgmt_addr_length;
+ show +
426
427
428
429
430
431
/* * XXX - this is a TransportDomain; print it as such. */ tptr += mgmt_addr_length; tlen -= mgmt_addr_length; }
+ show +
432
433
434
435
436
437
438
439
440
441
} break; } /* * FIXME those are the defined TLVs that lack a decoder * you are welcome to contribute code ;-) */ case CFM_TLV_DATA:

[tcpdump_CVE-2017-13052_1502751932_cfm_print.diff] cfm_print_OLD.c #6
if (hexdump || ndo->ndo_vflag > 1) print_unknown_data(ndo, tlv_ptr, "\n\t ", cfm_tlv_len); +next_tlv: tptr+=cfm_tlv_len; tlen-=cfm_tlv_len; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13052_before_imd_1490607297_cfm_print.c
442
443
444
445
446
447
448
449
450
451
*/ case CFM_TLV_DATA: case CFM_TLV_REPLY_INGRESS: case CFM_TLV_REPLY_EGRESS: default: hexdump = TRUE; break; } /* do we want to see an additional hexdump ? */
+ show +
452
453
454
455
456
457
if (hexdump || ndo->ndo_vflag > 1) print_unknown_data(ndo, tlv_ptr, "\n\t ", cfm_tlv_len); tptr+=cfm_tlv_len; tlen-=cfm_tlv_len; }
+ show +
458
459
460
461
462
463
464
465
466
return; tooshort: ND_PRINT((ndo, "\n\t\t packet is too short")); return; trunc: ND_PRINT((ndo, "\n\t\t packet exceeded snapshot")); }
.\cloneFuncs\totalClone\Type-3\CVE-2017-13052_before_1mo_1486214606_cfm_print.c
439
440
441
442
443
444
445
446
447
448
*/ case CFM_TLV_DATA: case CFM_TLV_REPLY_INGRESS: case CFM_TLV_REPLY_EGRESS: default: hexdump = TRUE; break; } /* do we want to see an additional hexdump ? */
+ show +
449
450
451
452
453
454
if (hexdump || ndo->ndo_vflag > 1) print_unknown_data(ndo, tlv_ptr, "\n\t ", cfm_tlv_len); tptr+=cfm_tlv_len; tlen-=cfm_tlv_len; }
+ show +
455
456
457
458
459
460
461
462
463
return; tooshort: ND_PRINT((ndo, "\n\t\t packet is too short")); return; trunc: ND_PRINT((ndo, "\n\t\t packet exceeded snapshot")); }

[tcpdump_CVE-2017-13053_1502455142_decode_rt_routing_info.diff] decode_rt_routing_info_OLD.c #1
{ uint8_t route_target[8]; u_int plen; + char asbuf[sizeof(astostr)]; /* bgp_vpn_rd_print() overwrites astostr */ + /* NLRI "prefix length" from RFC 2858 Section 4. */ ND_TCHECK(pptr[0]); plen = pptr[0]; /* get prefix length */ + /* NLRI "prefix" (ibid), valid lengths are { 0, 32, 33, ..., 96 } bits. + * RFC 4684 Section 4 defines the layout of "origin AS" and "route + * target" fields inside the "prefix" depending on its length. + */ if (0 == plen) { + /* Without "origin AS", without "route target". */ snprintf(buf, buflen, "default route target"); return 1; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13053_before_1mo_1496137922_decode_rt_routing_info.c
1
2
3
static int decode_rt_routing_info(netdissect_options *ndo, const u_char *pptr, char *buf, u_int buflen)
+ show +
4
5
6
7
8
9
10
11
12
13
14
{ uint8_t route_target[8]; u_int plen; ND_TCHECK(pptr[0]); plen = pptr[0]; /* get prefix length */ if (0 == plen) { snprintf(buf, buflen, "default route target"); return 1; }
+ show +
15
16
17
18
19
20
21
22
23
24
if (32 > plen) return -1; plen-=32; /* adjust prefix length */ if (64 < plen) return -1; memset(&route_target, 0, sizeof(route_target));

[tcpdump_CVE-2017-13054_1502319715_lldp_private_8023_print.diff] lldp_private_8023_print_OLD.c #1
break; case LLDP_PRIVATE_8023_SUBTYPE_MTU: + if (tlv_len < 6) { + return hexdump; + } ND_PRINT((ndo, "\n\t MTU size %u", EXTRACT_16BITS(tptr + 4))); break;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13054_before_1mo_1484643706_lldp_private_8023_print.c
39
40
41
42
43
44
45
46
47
48
tok2str(lldp_mdi_power_class_values, "unknown", *(tptr + 6)))); break; case LLDP_PRIVATE_8023_SUBTYPE_LINKAGGR: if (tlv_len < 9) { return hexdump; } ND_PRINT((ndo, "\n\t aggregation status [%s], aggregation port ID %u", bittok2str(lldp_aggregation_values, "none", *(tptr+4)), EXTRACT_32BITS(tptr + 5)));
+ show +
49
50
51
52
53
break; case LLDP_PRIVATE_8023_SUBTYPE_MTU: ND_PRINT((ndo, "\n\t MTU size %u", EXTRACT_16BITS(tptr + 4))); break;
+ show +
54
55
56
57
58
59
60
61
default: hexdump = TRUE; break; } return hexdump; }

[tcpdump_CVE-2017-13055_1502921071_isis_print_is_reach_subtlv.diff] isis_print_is_reach_subtlv_OLD.c #1
break; case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS: /* fall through */ case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD: + if (subl == 0) + break; ND_PRINT((ndo, "%sBandwidth Constraints Model ID: %s (%u)", ident, tok2str(diffserv_te_bc_values, "unknown", *tptr),
.\cloneFuncs\totalClone\Type-1\CVE-2017-13055_before_1mo_1496695044_isis_print_is_reach_subtlv.c
42
43
44
45
46
47
48
49
50
51
if (subl >= 32) { for (te_class = 0; te_class < 8; te_class++) { bw.i = EXTRACT_32BITS(tptr); ND_PRINT((ndo, "%s TE-Class %u: %.3f Mbps", ident, te_class, bw.f * 8 / 1000000)); tptr+=4; } }
+ show +
52
53
54
55
56
57
break; case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS: /* fall through */ case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD: ND_PRINT((ndo, "%sBandwidth Constraints Model ID: %s (%u)", ident, tok2str(diffserv_te_bc_values, "unknown", *tptr),
+ show +
58
59
60
61
62
63
64
65
66
67
*tptr)); tptr++; /* decode BCs until the subTLV ends */ for (te_class = 0; te_class < (subl-1)/4; te_class++) { ND_TCHECK2(*tptr, 4); bw.i = EXTRACT_32BITS(tptr); ND_PRINT((ndo, "%s Bandwidth constraint CT%u: %.3f Mbps", ident, te_class, bw.f * 8 / 1000000));

[tcpdump_CVE-2017-13055_1502921071_isis_print_is_reach_subtlv.diff] isis_print_is_reach_subtlv_OLD.c #2
tptr++; /* decode BCs until the subTLV ends */ for (te_class = 0; te_class < (subl-1)/4; te_class++) { - ND_TCHECK2(*tptr, 4); bw.i = EXTRACT_32BITS(tptr); ND_PRINT((ndo, "%s Bandwidth constraint CT%u: %.3f Mbps", ident,
.\cloneFuncs\totalClone\Type-1\CVE-2017-13055_before_1mo_1496695044_isis_print_is_reach_subtlv.c
49
50
51
52
53
54
55
56
57
58
tptr+=4; } } break; case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS: /* fall through */ case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD: ND_PRINT((ndo, "%sBandwidth Constraints Model ID: %s (%u)", ident, tok2str(diffserv_te_bc_values, "unknown", *tptr), *tptr));
+ show +
59
60
61
62
63
64
65
tptr++; /* decode BCs until the subTLV ends */ for (te_class = 0; te_class < (subl-1)/4; te_class++) { ND_TCHECK2(*tptr, 4); bw.i = EXTRACT_32BITS(tptr); ND_PRINT((ndo, "%s Bandwidth constraint CT%u: %.3f Mbps", ident,
+ show +
66
67
68
69
70
71
72
73
74
75
te_class, bw.f * 8 / 1000000)); tptr+=4; } break; case ISIS_SUBTLV_EXT_IS_REACH_TE_METRIC: if (subl >= 3) ND_PRINT((ndo, ", %u", EXTRACT_24BITS(tptr))); break; case ISIS_SUBTLV_EXT_IS_REACH_LINK_ATTRIBUTE:

[linux_CVE-2017-13080_1504616094_ieee80211_key_link.diff] ieee80211_key_link_OLD.c #1
pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; idx = key->conf.keyidx; - key->local = sdata->local; - key->sdata = sdata; - key->sta = sta; mutex_lock(&sdata->local->key_mtx);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13080_before_1mo_1459443730_ieee80211_key_link.c
1
2
3
4
5
6
7
8
9
int ieee80211_key_link(struct ieee80211_key *key, struct ieee80211_sub_if_data *sdata, struct sta_info *sta) { struct ieee80211_local *local = sdata->local; struct ieee80211_key *old_key; int idx, ret; bool pairwise;
+ show +
10
11
12
13
14
15
16
pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; idx = key->conf.keyidx; key->local = sdata->local; key->sdata = sdata; key->sta = sta; mutex_lock(&sdata->local->key_mtx);
+ show +
17
18
19
20
21
22
23
24
25
26
if (sta && pairwise) old_key = key_mtx_dereference(sdata->local, sta->ptk[idx]); else if (sta) old_key = key_mtx_dereference(sdata->local, sta->gtk[idx]); else old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); increment_tailroom_need_count(sdata);

[linux_CVE-2017-13080_1504616094_ieee80211_key_link.diff] ieee80211_key_link_OLD.c #2
else old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); + /* + * Silently accept key re-installation without really installing the + * new version of the key to avoid nonce reuse or replay issues. + */ + if (old_key && key->conf.keylen == old_key->conf.keylen && + !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { + ieee80211_key_free_unused(key); + ret = 0; + goto out; + } + + key->local = sdata->local; + key->sdata = sdata; + key->sta = sta; + increment_tailroom_need_count(sdata); ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13080_before_1mo_1459443730_ieee80211_key_link.c
12
13
14
15
16
17
18
19
20
21
key->local = sdata->local; key->sdata = sdata; key->sta = sta; mutex_lock(&sdata->local->key_mtx); if (sta && pairwise) old_key = key_mtx_dereference(sdata->local, sta->ptk[idx]); else if (sta) old_key = key_mtx_dereference(sdata->local, sta->gtk[idx]);
+ show +
22
23
24
25
26
27
else old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); increment_tailroom_need_count(sdata); ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+ show +
28
29
30
31
32
33
34
35
36
37
ieee80211_key_destroy(old_key, true); ieee80211_debugfs_key_add(key); if (!local->wowlan) { ret = ieee80211_key_enable_hw_accel(key); if (ret) ieee80211_key_free(key, true); } else { ret = 0;

[qemu_CVE-2017-13672_1507644802_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #1
DisplaySurface *surface = qemu_console_surface(s->con); int y1, y, update, linesize, y_start, double_scan, mask, depth; int width, height, shift_control, bwidth, bits; - ram_addr_t page0, page1; + ram_addr_t page0, page1, region_start, region_end; DirtyBitmapSnapshot *snap = NULL; int disp_width, multi_scan, multi_run; uint8_t *d; uint32_t v, addr1, addr; vga_draw_line_func *vga_draw_line = NULL; - bool share_surface; + bool share_surface, force_shadow = false; pixman_format_code_t format; #ifdef HOST_WORDS_BIGENDIAN bool byteswap = !s->big_endian_fb;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13672_before_imd_1507644801_vga_draw_graphic.c
1
2
static void vga_draw_graphic(VGACommonState *s, int full_update) {
+ show +
3
4
5
6
7
8
9
10
11
12
13
14
15
DisplaySurface *surface = qemu_console_surface(s->con); int y1, y, update, linesize, y_start, double_scan, mask, depth; int width, height, shift_control, bwidth, bits; ram_addr_t page0, page1; DirtyBitmapSnapshot *snap = NULL; int disp_width, multi_scan, multi_run; uint8_t *d; uint32_t v, addr1, addr; vga_draw_line_func *vga_draw_line = NULL; bool share_surface; pixman_format_code_t format; #ifdef HOST_WORDS_BIGENDIAN bool byteswap = !s->big_endian_fb;
+ show +
16
17
18
19
20
21
22
23
24
25
#else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s); s->get_resolution(s, &width, &height); disp_width = width; shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3;

[qemu_CVE-2017-13672_1507644802_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #4
y1 = 0; if (!full_update) { - ram_addr_t region_start = addr1; - ram_addr_t region_end = addr1 + s->line_offset * height; vga_sync_dirty_bitmap(s); if (s->line_compare < height) { /* split screen mode */
.\cloneFuncs\totalClone\Type-1\CVE-2017-13672_before_imd_1507644801_vga_draw_graphic.c
155
156
157
158
159
160
161
162
163
164
#if 0 printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); #endif addr1 = (s->start_addr * 4); bwidth = DIV_ROUND_UP(width * bits, 8); y_start = -1; d = surface_data(surface); linesize = surface_stride(surface);
+ show +
165
166
167
168
169
170
171
172
y1 = 0; if (!full_update) { ram_addr_t region_start = addr1; ram_addr_t region_end = addr1 + s->line_offset * height; vga_sync_dirty_bitmap(s); if (s->line_compare < height) { /* split screen mode */
+ show +
173
174
175
176
177
178
179
180
181
182
region_start = 0; } snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start, region_end - region_start, DIRTY_MEMORY_VGA); } for(y = 0; y < height; y++) { addr = addr1; if (!(s->cr[VGA_CRTC_MODE] & 1)) {

[qemu_CVE-2017-13672_1507644802_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #5
addr = (addr & ~0x8000) | ((y1 & 2) << 14); } update = full_update; - page0 = addr; - page1 = addr + bwidth - 1; + page0 = addr & s->vbe_size_mask; + page1 = (addr + bwidth - 1) & s->vbe_size_mask; if (full_update) { update = 1; + } else if (page1 < page0) { + /* scanline wraps from end of video memory to the start */ + assert(force_shadow); + update = memory_region_snapshot_get_dirty(&s->vram, snap, + page0, 0); + update |= memory_region_snapshot_get_dirty(&s->vram, snap, + page1, 0); } else { update = memory_region_snapshot_get_dirty(&s->vram, snap, page0, page1 - page0);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13672_before_imd_1507644801_vga_draw_graphic.c
179
180
181
182
183
184
185
186
187
188
for(y = 0; y < height; y++) { addr = addr1; if (!(s->cr[VGA_CRTC_MODE] & 1)) { int shift; /* CGA compatibility handling */ shift = 14 + ((s->cr[VGA_CRTC_MODE] >> 6) & 1); addr = (addr & ~(1 << shift)) | ((y1 & 1) << shift); } if (!(s->cr[VGA_CRTC_MODE] & 2)) {
+ show +
189
190
191
192
193
194
195
196
197
198
addr = (addr & ~0x8000) | ((y1 & 2) << 14); } update = full_update; page0 = addr; page1 = addr + bwidth - 1; if (full_update) { update = 1; } else { update = memory_region_snapshot_get_dirty(&s->vram, snap, page0, page1 - page0);
+ show +
199
200
201
202
203
204
205
206
207
208
} /* explicit invalidation for the hardware cursor (cirrus only) */ update |= vga_scanline_invalidated(s, y); if (update) { if (y_start < 0) y_start = y; if (!(is_buffer_shared(surface))) { vga_draw_line(s, d, addr, width); if (s->cursor_draw_line) s->cursor_draw_line(s, d, y);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13673_before_imd_1498129456_vga_draw_graphic.c
174
175
176
177
178
179
180
181
182
183
for(y = 0; y < height; y++) { addr = addr1; if (!(s->cr[VGA_CRTC_MODE] & 1)) { int shift; /* CGA compatibility handling */ shift = 14 + ((s->cr[VGA_CRTC_MODE] >> 6) & 1); addr = (addr & ~(1 << shift)) | ((y1 & 1) << shift); } if (!(s->cr[VGA_CRTC_MODE] & 2)) {
+ show +
184
185
186
187
188
189
190
191
192
193
addr = (addr & ~0x8000) | ((y1 & 2) << 14); } update = full_update; page0 = addr; page1 = addr + bwidth - 1; if (full_update) { update = 1; } else { update = memory_region_snapshot_get_dirty(&s->vram, snap, page0, page1 - page0);
+ show +
194
195
196
197
198
199
200
201
202
203
} /* explicit invalidation for the hardware cursor (cirrus only) */ update |= vga_scanline_invalidated(s, y); if (update) { if (y_start < 0) y_start = y; if (!(is_buffer_shared(surface))) { vga_draw_line(s, d, s->vram_ptr + addr, width); if (s->cursor_draw_line) s->cursor_draw_line(s, d, y);
.\cloneFuncs\totalClone\Type-2\CVE-2017-13673_after_imd_1503923346_vga_draw_graphic.c
180
181
182
183
184
185
186
187
188
189
for(y = 0; y < height; y++) { addr = addr1; if (!(s->cr[VGA_CRTC_MODE] & 1)) { int shift; /* CGA compatibility handling */ shift = 14 + ((s->cr[VGA_CRTC_MODE] >> 6) & 1); addr = (addr & ~(1 << shift)) | ((y1 & 1) << shift); } if (!(s->cr[VGA_CRTC_MODE] & 2)) {
+ show +
190
191
192
193
194
195
196
197
198
199
addr = (addr & ~0x8000) | ((y1 & 2) << 14); } update = full_update; page0 = addr; page1 = addr + bwidth - 1; if (full_update) { update = 1; } else { update = memory_region_snapshot_get_dirty(&s->vram, snap, page0, page1 - page0);
+ show +
200
201
202
203
204
205
206
207
208
209
} /* explicit invalidation for the hardware cursor (cirrus only) */ update |= vga_scanline_invalidated(s, y); if (update) { if (y_start < 0) y_start = y; if (!(is_buffer_shared(surface))) { vga_draw_line(s, d, addr, width); if (s->cursor_draw_line) s->cursor_draw_line(s, d, y);
.\cloneFuncs\totalClone\Type-2\CVE-2017-13673_before_1mo_1499438569_vga_draw_graphic.c
174
175
176
177
178
179
180
181
182
183
for(y = 0; y < height; y++) { addr = addr1; if (!(s->cr[VGA_CRTC_MODE] & 1)) { int shift; /* CGA compatibility handling */ shift = 14 + ((s->cr[VGA_CRTC_MODE] >> 6) & 1); addr = (addr & ~(1 << shift)) | ((y1 & 1) << shift); } if (!(s->cr[VGA_CRTC_MODE] & 2)) {
+ show +
184
185
186
187
188
189
190
191
192
193
addr = (addr & ~0x8000) | ((y1 & 2) << 14); } update = full_update; page0 = addr; page1 = addr + bwidth - 1; if (full_update) { update = 1; } else { update = memory_region_snapshot_get_dirty(&s->vram, snap, page0, page1 - page0);
+ show +
194
195
196
197
198
199
200
201
202
203
} /* explicit invalidation for the hardware cursor (cirrus only) */ update |= vga_scanline_invalidated(s, y); if (update) { if (y_start < 0) y_start = y; if (!(is_buffer_shared(surface))) { vga_draw_line(s, d, s->vram_ptr + addr, width); if (s->cursor_draw_line) s->cursor_draw_line(s, d, y);

[qemu_CVE-2017-13673_1503923587_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #1
y1 = 0; if (!full_update) { + ram_addr_t region_start = addr1; + ram_addr_t region_end = addr1 + line_offset * height; vga_sync_dirty_bitmap(s); - snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1, - line_offset * height, + if (s->line_compare < height) { + /* split screen mode */ + region_start = 0; + } + snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start, + region_end - region_start, DIRTY_MEMORY_VGA); }
.\cloneFuncs\totalClone\Type-1\CVE-2017-13673_before_imd_1498129456_vga_draw_graphic.c
156
157
158
159
160
161
162
163
164
165
#if 0 printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); #endif addr1 = (s->start_addr * 4); bwidth = DIV_ROUND_UP(width * bits, 8); y_start = -1; d = surface_data(surface); linesize = surface_stride(surface);
+ show +
166
167
168
169
170
171
172
173
y1 = 0; if (!full_update) { vga_sync_dirty_bitmap(s); snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1, line_offset * height, DIRTY_MEMORY_VGA); }
+ show +
174
175
176
177
178
179
180
181
182
183
for(y = 0; y < height; y++) { addr = addr1; if (!(s->cr[VGA_CRTC_MODE] & 1)) { int shift; /* CGA compatibility handling */ shift = 14 + ((s->cr[VGA_CRTC_MODE] >> 6) & 1); addr = (addr & ~(1 << shift)) | ((y1 & 1) << shift); } if (!(s->cr[VGA_CRTC_MODE] & 2)) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13673_before_1mo_1499438569_vga_draw_graphic.c
156
157
158
159
160
161
162
163
164
165
#if 0 printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); #endif addr1 = (s->start_addr * 4); bwidth = (width * bits + 7) / 8; y_start = -1; d = surface_data(surface); linesize = surface_stride(surface);
+ show +
166
167
168
169
170
171
172
173
y1 = 0; if (!full_update) { vga_sync_dirty_bitmap(s); snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1, line_offset * height, DIRTY_MEMORY_VGA); }
+ show +
174
175
176
177
178
179
180
181
182
183
for(y = 0; y < height; y++) { addr = addr1; if (!(s->cr[VGA_CRTC_MODE] & 1)) { int shift; /* CGA compatibility handling */ shift = 14 + ((s->cr[VGA_CRTC_MODE] >> 6) & 1); addr = (addr & ~(1 << shift)) | ((y1 & 1) << shift); } if (!(s->cr[VGA_CRTC_MODE] & 2)) {

[tcpdump_CVE-2017-13687_1486127691_chdlc_print.diff] chdlc_print_OLD.c #1
chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length) { u_int proto; + const u_char *bp = p; + if (length < CHDLC_HDRLEN) + goto trunc; + ND_TCHECK2(*p, CHDLC_HDRLEN); proto = EXTRACT_16BITS(&p[2]); if (ndo->ndo_eflag) { ND_PRINT((ndo, "%s, ethertype %s (0x%04x), length %u: ",
.\cloneFuncs\totalClone\Type-1\CVE-2017-13687_before_imd_1484139285_chdlc_print.c
1
u_int
+ show +
2
3
4
5
6
7
8
chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length) { u_int proto; proto = EXTRACT_16BITS(&p[2]); if (ndo->ndo_eflag) { ND_PRINT((ndo, "%s, ethertype %s (0x%04x), length %u: ",
+ show +
9
10
11
12
13
14
15
16
17
18
tok2str(chdlc_cast_values, "0x%02x", p[0]), tok2str(ethertype_values, "Unknown", proto), proto, length)); } length -= CHDLC_HDRLEN; p += CHDLC_HDRLEN; switch (proto) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13687_before_1mo_1471182139_chdlc_print.c
1
u_int
+ show +
2
3
4
5
6
7
8
chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length) { u_int proto; proto = EXTRACT_16BITS(&p[2]); if (ndo->ndo_eflag) { ND_PRINT((ndo, "%s, ethertype %s (0x%04x), length %u: ",
+ show +
9
10
11
12
13
14
15
16
17
18
tok2str(chdlc_cast_values, "0x%02x", p[0]), tok2str(ethertype_values, "Unknown", proto), proto, length)); } length -= CHDLC_HDRLEN; p += CHDLC_HDRLEN; switch (proto) {

[tcpdump_CVE-2017-13687_1486127691_chdlc_print.diff] chdlc_print_OLD.c #2
break; case ETHERTYPE_ISO: /* is the fudge byte set ? lets verify by spotting ISO headers */ + if (length < 2) + goto trunc; + ND_TCHECK_16BITS(p); if (*(p+1) == 0x81 || *(p+1) == 0x82 || *(p+1) == 0x83)
.\cloneFuncs\totalClone\Type-1\CVE-2017-13687_before_imd_1484139285_chdlc_print.c
26
27
28
29
30
31
32
33
34
35
chdlc_slarp_print(ndo, p, length); break; #if 0 case CHDLC_TYPE_CDP: chdlc_cdp_print(p, length); break; #endif case ETHERTYPE_MPLS: case ETHERTYPE_MPLS_MULTI: mpls_print(ndo, p, length);
+ show +
36
37
38
39
40
41
break; case ETHERTYPE_ISO: /* is the fudge byte set ? lets verify by spotting ISO headers */ if (*(p+1) == 0x81 || *(p+1) == 0x82 || *(p+1) == 0x83)
+ show +
42
43
44
45
46
47
48
49
50
51
isoclns_print(ndo, p + 1, length - 1, ndo->ndo_snapend - p - 1); else isoclns_print(ndo, p, length, ndo->ndo_snapend - p); break; default: if (!ndo->ndo_eflag) ND_PRINT((ndo, "unknown CHDLC protocol (0x%04x)", proto)); break; }
.\cloneFuncs\totalClone\Type-2\CVE-2017-13687_before_1mo_1471182139_chdlc_print.c
26
27
28
29
30
31
32
33
34
35
chdlc_slarp_print(ndo, p, length); break; #if 0 case CHDLC_TYPE_CDP: chdlc_cdp_print(p, length); break; #endif case ETHERTYPE_MPLS: case ETHERTYPE_MPLS_MULTI: mpls_print(ndo, p, length);
+ show +
36
37
38
39
40
41
break; case ETHERTYPE_ISO: /* is the fudge byte set ? lets verify by spotting ISO headers */ if (*(p+1) == 0x81 || *(p+1) == 0x82 || *(p+1) == 0x83)
+ show +
42
43
44
45
46
47
48
49
50
51
isoclns_print(ndo, p + 1, length - 1, length - 1); else isoclns_print(ndo, p, length, length); break; default: if (!ndo->ndo_eflag) ND_PRINT((ndo, "unknown CHDLC protocol (0x%04x)", proto)); break; }

[xen_CVE-2017-14316_1505220196_get_free_buddy.diff] get_free_buddy_OLD.c #1
if ( node >= MAX_NUMNODES ) node = cpu_to_node(smp_processor_id()); } + else if ( unlikely(node >= MAX_NUMNODES) ) + { + ASSERT_UNREACHABLE(); + return NULL; + } first_node = node; - ASSERT(node < MAX_NUMNODES); - /* * Start with requested node, but exhaust all node memory in requested * zone before failing, only calc new node value if we fail to find memory
.\cloneFuncs\totalClone\Type-1\CVE-2017-14316_before_imd_1504712032_get_free_buddy.c
10
11
12
13
14
15
16
17
18
19
bool use_unscrubbed = (memflags & MEMF_no_scrub); if ( node == NUMA_NO_NODE ) { if ( d != NULL ) { node = next_node(d->last_alloc_node, nodemask); if ( node >= MAX_NUMNODES ) node = first_node(nodemask); }
+ show +
20
21
22
23
24
25
26
27
28
29
if ( node >= MAX_NUMNODES ) node = cpu_to_node(smp_processor_id()); } first_node = node; ASSERT(node < MAX_NUMNODES); /* * Start with requested node, but exhaust all node memory in requested * zone before failing, only calc new node value if we fail to find memory
+ show +
30
31
32
33
34
35
36
37
38
39
* in target node, this avoids needless computation on fast-path. */ for ( ; ; ) { zone = zone_hi; do { /* Check if target node can support the allocation. */ if ( !avail[node] || (avail[node][zone] < (1UL << order)) ) continue;

[xen_CVE-2017-14317_1505220296_domain_cleanup.diff] domain_cleanup_OLD.c #1
static void domain_cleanup(void) { xc_dominfo_t dominfo; - struct domain *domain, *tmp; + struct domain *domain; int notify = 0; - list_for_each_entry_safe(domain, tmp, &domains, list) { + again: + list_for_each_entry(domain, &domains, list) { if (xc_domain_getinfo(*xc_handle, domain->domid, 1, &dominfo) == 1 && dominfo.domid == domain->domid) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-14317_before_1mo_1490959759_domain_cleanup.c
+ show +
1
2
3
4
5
6
7
8
9
10
static void domain_cleanup(void) { xc_dominfo_t dominfo; struct domain *domain, *tmp; int notify = 0; list_for_each_entry_safe(domain, tmp, &domains, list) { if (xc_domain_getinfo(*xc_handle, domain->domid, 1, &dominfo) == 1 && dominfo.domid == domain->domid) {
+ show +
11
12
13
14
15
16
17
18
19
20
if ((dominfo.crashed || dominfo.shutdown) && !domain->shutdown) { domain->shutdown = 1; notify = 1; } if (!dominfo.dying) continue; } talloc_free(domain->conn); notify = 0; /* destroy_domain() fires the watch */

[xen_CVE-2017-14319_1505220313_replace_grant_pv_mapping.diff] replace_grant_pv_mapping_OLD.c #1
unsigned long gl1mfn; struct page_info *l1pg; int rc; + unsigned int grant_pte_flags; + + grant_pte_flags = + _PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_GNTTAB | _PAGE_NX; + + if ( flags & GNTMAP_application_map ) + grant_pte_flags |= _PAGE_USER; + if ( !(flags & GNTMAP_readonly) ) + grant_pte_flags |= _PAGE_RW; + /* + * On top of the explicit settings done by create_grant_host_mapping() + * also open-code relevant parts of adjust_guest_l1e(). Don't mirror + * available and cachability flags, though. + */ + if ( !is_pv_32bit_domain(curr->domain) ) + grant_pte_flags |= (grant_pte_flags & _PAGE_USER) + ? _PAGE_GLOBAL + : _PAGE_GUEST_KERNEL | _PAGE_USER; if ( flags & GNTMAP_contains_pte ) { if ( !new_addr ) - return destroy_grant_pte_mapping(addr, frame, curr->domain); + return destroy_grant_pte_mapping(addr, frame, grant_pte_flags, + curr->domain); return GNTST_general_error; } if ( !new_addr ) - return destroy_grant_va_mapping(addr, frame, curr); + return destroy_grant_va_mapping(addr, frame, grant_pte_flags, curr); pl1e = guest_map_l1e(new_addr, &gl1mfn); if ( !pl1e )
.\cloneFuncs\totalClone\Type-1\CVE-2017-14319_before_imd_1504525326_replace_grant_pv_mapping.c
1
2
3
4
5
int replace_grant_pv_mapping(uint64_t addr, unsigned long frame, uint64_t new_addr, unsigned int flags) { struct vcpu *curr = current; l1_pgentry_t *pl1e, ol1e;
+ show +
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
unsigned long gl1mfn; struct page_info *l1pg; int rc; if ( flags & GNTMAP_contains_pte ) { if ( !new_addr ) return destroy_grant_pte_mapping(addr, frame, curr->domain); return GNTST_general_error; } if ( !new_addr ) return destroy_grant_va_mapping(addr, frame, curr); pl1e = guest_map_l1e(new_addr, &gl1mfn); if ( !pl1e )
+ show +
23
24
25
26
27
28
29
30
31
32
{ gdprintk(XENLOG_WARNING, "Could not find L1 PTE for address %"PRIx64"\n", new_addr); return GNTST_general_error; } if ( !get_page_from_mfn(_mfn(gl1mfn), current->domain) ) { guest_unmap_l1e(pl1e); return GNTST_general_error;

[xen_CVE-2017-14319_1505220313_replace_grant_va_mapping.diff] replace_grant_va_mapping_OLD.c #1
static int replace_grant_va_mapping( - unsigned long addr, unsigned long frame, l1_pgentry_t nl1e, struct vcpu *v) + unsigned long addr, unsigned long frame, unsigned int grant_pte_flags, + l1_pgentry_t nl1e, struct vcpu *v) { l1_pgentry_t *pl1e, ol1e; unsigned long gl1mfn;
.\cloneFuncs\totalClone\Type-1\CVE-2017-14319_before_imd_1504525326_replace_grant_va_mapping.c
+ show +
1
2
3
4
5
static int replace_grant_va_mapping( unsigned long addr, unsigned long frame, l1_pgentry_t nl1e, struct vcpu *v) { l1_pgentry_t *pl1e, ol1e; unsigned long gl1mfn;
+ show +
6
7
8
9
10
11
12
13
14
15
struct page_info *l1pg; int rc = 0; pl1e = guest_map_l1e(addr, &gl1mfn); if ( !pl1e ) { gdprintk(XENLOG_WARNING, "Could not find L1 PTE for address %lx\n", addr); return GNTST_general_error; }
.\cloneFuncs\totalClone\Type-2\CVE-2017-14319_before_1mo_1501060682_replace_grant_va_mapping.c
+ show +
1
2
3
4
5
static int replace_grant_va_mapping( unsigned long addr, unsigned long frame, l1_pgentry_t nl1e, struct vcpu *v) { l1_pgentry_t *pl1e, ol1e; unsigned long gl1mfn;
+ show +
6
7
8
9
10
11
12
13
14
15
struct page_info *l1pg; int rc = 0; pl1e = guest_map_l1e(addr, &gl1mfn); if ( !pl1e ) { gdprintk(XENLOG_WARNING, "Could not find L1 PTE for address %lx\n", addr); return GNTST_general_error; }
.\cloneFuncs\totalClone\Type-3\CVE-2017-14319_before_6mo_1488454877_replace_grant_va_mapping.c
+ show +
1
2
3
4
5
static int replace_grant_va_mapping( unsigned long addr, unsigned long frame, l1_pgentry_t nl1e, struct vcpu *v) { l1_pgentry_t *pl1e, ol1e; unsigned long gl1mfn;
+ show +
6
7
8
9
10
11
12
13
14
15
struct page_info *l1pg; int rc = 0; pl1e = guest_map_l1e(addr, &gl1mfn); if ( !pl1e ) { MEM_LOG("Could not find L1 PTE for address %lx", addr); return GNTST_general_error; }

[qemu_CVE-2017-15118_1511384842_nbd_negotiate_handle_info.diff] nbd_negotiate_handle_info_OLD.c #1
msg = "name length is incorrect"; goto invalid; } + if (namelen >= sizeof(name)) { + msg = "name too long for qemu"; + goto invalid; + } if (nbd_read(client->ioc, name, namelen, errp) < 0) { return -EIO; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-15118_before_imd_1511389516_nbd_negotiate_handle_info.c
23
24
25
26
27
28
29
30
31
32
if (length < sizeof(namelen) + sizeof(requests)) { msg = "overall request too short"; goto invalid; } if (nbd_read(client->ioc, &namelen, sizeof(namelen), errp) < 0) { return -EIO; } be32_to_cpus(&namelen); length -= sizeof(namelen); if (namelen > length - sizeof(requests) || (length - namelen) % 2) {
+ show +
33
34
35
36
37
38
msg = "name length is incorrect"; goto invalid; } if (nbd_read(client->ioc, name, namelen, errp) < 0) { return -EIO; }
+ show +
39
40
41
42
43
44
45
46
47
48
name[namelen] = '\0'; length -= namelen; trace_nbd_negotiate_handle_export_name_request(name); if (nbd_read(client->ioc, &requests, sizeof(requests), errp) < 0) { return -EIO; } be16_to_cpus(&requests); length -= sizeof(requests); trace_nbd_negotiate_handle_info_requests(requests);
.\cloneFuncs\totalClone\Type-3\CVE-2017-15118_before_1mo_1507847340_nbd_negotiate_handle_info.c
23
24
25
26
27
28
29
30
31
32
if (length < sizeof(namelen) + sizeof(requests)) { msg = "overall request too short"; goto invalid; } if (nbd_read(client->ioc, &namelen, sizeof(namelen), errp) < 0) { return -EIO; } be32_to_cpus(&namelen); length -= sizeof(namelen); if (namelen > length - sizeof(requests) || (length - namelen) % 2) {
+ show +
33
34
35
36
37
38
msg = "name length is incorrect"; goto invalid; } if (nbd_read(client->ioc, name, namelen, errp) < 0) { return -EIO; }
+ show +
39
40
41
42
43
44
45
46
47
48
name[namelen] = '\0'; length -= namelen; trace_nbd_negotiate_handle_export_name_request(name); if (nbd_read(client->ioc, &requests, sizeof(requests), errp) < 0) { return -EIO; } be16_to_cpus(&requests); length -= sizeof(requests); trace_nbd_negotiate_handle_info_requests(requests);

[qemu_CVE-2017-15119_1511389516_nbd_negotiate_options.diff] nbd_negotiate_options_OLD.c #1
} length = be32_to_cpu(length); + if (length > NBD_MAX_BUFFER_SIZE) { + error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)", + length, NBD_MAX_BUFFER_SIZE); + return -EINVAL; + } + trace_nbd_negotiate_options_check_option(option, nbd_opt_lookup(option)); if (client->tlscreds &&
.\cloneFuncs\totalClone\Type-1\CVE-2017-15119_before_imd_1510781756_nbd_negotiate_options.c
58
59
60
61
62
63
64
65
66
67
if (nbd_read(client->ioc, &option, sizeof(option), errp) < 0) { error_prepend(errp, "read failed: "); return -EINVAL; } option = be32_to_cpu(option); if (nbd_read(client->ioc, &length, sizeof(length), errp) < 0) { error_prepend(errp, "read failed: "); return -EINVAL;
+ show +
68
69
70
71
72
73
} length = be32_to_cpu(length); trace_nbd_negotiate_options_check_option(option, nbd_opt_lookup(option)); if (client->tlscreds &&
+ show +
74
75
76
77
78
79
80
81
82
83
client->ioc == (QIOChannel *)client->sioc) { QIOChannel *tioc; if (!fixedNewstyle) { error_setg(errp, "Unsupported option 0x%" PRIx32, option); return -EINVAL; } switch (option) { case NBD_OPT_STARTTLS: if (length) { /* Unconditionally drop the connection if the client
.\cloneFuncs\totalClone\Type-3\CVE-2017-15119_before_1mo_1507847340_nbd_negotiate_options.c
58
59
60
61
62
63
64
65
66
67
if (nbd_read(client->ioc, &option, sizeof(option), errp) < 0) { error_prepend(errp, "read failed: "); return -EINVAL; } option = be32_to_cpu(option); if (nbd_read(client->ioc, &length, sizeof(length), errp) < 0) { error_prepend(errp, "read failed: "); return -EINVAL;
+ show +
68
69
70
71
72
73
} length = be32_to_cpu(length); trace_nbd_negotiate_options_check_option(option, nbd_opt_lookup(option)); if (client->tlscreds &&
+ show +
74
75
76
77
78
79
80
81
82
83
client->ioc == (QIOChannel *)client->sioc) { QIOChannel *tioc; if (!fixedNewstyle) { error_setg(errp, "Unsupported option 0x%" PRIx32, option); return -EINVAL; } switch (option) { case NBD_OPT_STARTTLS: tioc = nbd_negotiate_handle_starttls(client, length, errp); if (!tioc) {

[qemu_CVE-2017-15268_1513624345_vnc_client_write_plain.diff] vnc_client_write_plain_OLD.c #1
if (!ret) return 0; + if (ret >= vs->force_update_offset) { + vs->force_update_offset = 0; + } else { + vs->force_update_offset -= ret; + } buffer_advance(&vs->output, ret); if (vs->output.offset == 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-15268_before_1mo_1505229707_vnc_client_write_plain.c
9
10
11
12
13
14
15
16
17
18
if (vs->sasl.conn && vs->sasl.runSSF && vs->sasl.waitWriteSSF) { ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF); if (ret) vs->sasl.waitWriteSSF -= ret; } else #endif /* CONFIG_VNC_SASL */ ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
+ show +
19
20
21
22
23
24
if (!ret) return 0; buffer_advance(&vs->output, ret); if (vs->output.offset == 0) {
+ show +
25
26
27
28
29
30
31
32
33
if (vs->ioc_tag) { g_source_remove(vs->ioc_tag); } vs->ioc_tag = qio_channel_add_watch( vs->ioc, G_IO_IN, vnc_client_io, vs, NULL); } return ret; }

[xen_CVE-2017-15592_1510825094_sh_guess_wrmap.diff] sh_guess_wrmap_OLD.c #1
/* Carefully look in the shadow linear map for the l1e we expect */ #if SHADOW_PAGING_LEVELS >= 4 - /* Is a shadow linear map is installed in the first place? */ - sl4p = v->arch.paging.shadow.guest_vtable; - sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START); - if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) - return 0; + /* + * Non-external guests (i.e. PV) have a SHADOW_LINEAR mapping from the + * moment their shadows are created. External guests (i.e. HVM) may not, + * but always have a regular linear mapping, which we can use to observe + * whether a SHADOW_LINEAR mapping is present. + */ + if ( paging_mode_external(d) ) + { + sl4p = __linear_l4_table + l4_linear_offset(SH_LINEAR_PT_VIRT_START); + if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) + return 0; + } sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr); if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) return 0;
.\cloneFuncs\totalClone\Type-1\CVE-2017-15592_before_1mo_1507812607_sh_guess_wrmap.c
5
6
7
8
9
10
11
12
13
14
struct domain *d = v->domain; shadow_l1e_t sl1e, *sl1p; shadow_l2e_t *sl2p; shadow_l3e_t *sl3p; #if SHADOW_PAGING_LEVELS >= 4 shadow_l4e_t *sl4p; #endif mfn_t sl1mfn; int r;
+ show +
15
16
17
18
19
20
21
22
23
24
/* Carefully look in the shadow linear map for the l1e we expect */ #if SHADOW_PAGING_LEVELS >= 4 /* Is a shadow linear map is installed in the first place? */ sl4p = v->arch.paging.shadow.guest_vtable; sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START); if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) return 0; sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr); if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) return 0;
+ show +
25
26
27
28
29
30
31
32
33
34
sl3p = sh_linear_l3_table(v) + shadow_l3_linear_offset(vaddr); if ( !(shadow_l3e_get_flags(*sl3p) & _PAGE_PRESENT) ) return 0; #else /* SHADOW_PAGING_LEVELS == 3 */ sl3p = ((shadow_l3e_t *) v->arch.paging.shadow.l3table) + shadow_l3_linear_offset(vaddr); if ( !(shadow_l3e_get_flags(*sl3p) & _PAGE_PRESENT) ) return 0; #endif sl2p = sh_linear_l2_table(v) + shadow_l2_linear_offset(vaddr);

[xen_CVE-2017-15597_1508853693_gnttab_copy_release_buf.diff] gnttab_copy_release_buf_OLD.c #1
unmap_domain_page(buf->virt); buf->virt = NULL; } + if ( buf->have_grant ) + { + release_grant_for_copy(buf->domain, buf->ptr.u.ref, buf->read_only); + buf->have_grant = 0; + } if ( buf->have_type ) { put_page_type(buf->page);
.\cloneFuncs\totalClone\Type-1\CVE-2017-15597_before_1mo_1506000784_gnttab_copy_release_buf.c
1
2
3
4
static void gnttab_copy_release_buf(struct gnttab_copy_buf *buf) { if ( buf->virt ) {
+ show +
5
6
7
8
9
10
unmap_domain_page(buf->virt); buf->virt = NULL; } if ( buf->have_type ) { put_page_type(buf->page);
+ show +
11
12
13
14
15
16
17
18
19
20
buf->have_type = 0; } if ( buf->page ) { put_page(buf->page); buf->page = NULL; } if ( buf->have_grant ) { release_grant_for_copy(buf->domain, buf->ptr.u.ref, buf->read_only);
.\cloneFuncs\totalClone\Type-2\CVE-2017-15597_before_6mo_1484751924_gnttab_copy_release_buf.c
1
2
3
4
static void gnttab_copy_release_buf(struct gnttab_copy_buf *buf) { if ( buf->virt ) {
+ show +
5
6
7
8
9
10
unmap_domain_page(buf->virt); buf->virt = NULL; } if ( buf->have_type ) { put_page_type(buf->page);
+ show +
11
12
13
14
15
16
17
18
19
20
buf->have_type = 0; } if ( buf->page ) { put_page(buf->page); buf->page = NULL; } if ( buf->have_grant ) { __release_grant_for_copy(buf->domain, buf->ptr.u.ref, buf->read_only);

[tcpdump_CVE-2017-16808_1559739013_aoev1_reserve_print.diff] aoev1_reserve_print_OLD.c #1
goto invalid; /* addresses */ for (i = 0; i < nmacs; i++) { + ND_TCHECK_LEN(cp, MAC_ADDR_LEN); ND_PRINT("\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)); cp += MAC_ADDR_LEN; }
.\cloneFuncs\totalClone\Type-1\CVE-2017-16808_before_imd_1529162601_aoev1_reserve_print.c
11
12
13
14
15
16
17
18
19
20
ND_TCHECK_1(cp); ND_PRINT("\n\tRCmd: %s", tok2str(aoev1_rcmd_str, "Unknown (0x%02x)", GET_U_1(cp))); cp += 1; /* NMacs (correlated with the length) */ ND_TCHECK_1(cp); nmacs = GET_U_1(cp); cp += 1; ND_PRINT(", NMacs: %u", nmacs); if (AOEV1_RESERVE_ARG_LEN + nmacs * MAC_ADDR_LEN != len)
+ show +
21
22
23
24
25
26
goto invalid; /* addresses */ for (i = 0; i < nmacs; i++) { ND_PRINT("\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)); cp += MAC_ADDR_LEN; }
+ show +
27
28
29
30
31
32
33
34
35
return; invalid: nd_print_invalid(ndo); ND_TCHECK_LEN(cp, ep - cp); return; trunc: nd_print_trunc(ndo); }
.\cloneFuncs\totalClone\Type-3\CVE-2017-16808_before_1mo_1536661675_aoev1_reserve_print.c
10
11
12
13
14
15
16
17
18
19
/* RCmd */ ND_TCHECK_1(cp); ND_PRINT("\n\tRCmd: %s", tok2str(aoev1_rcmd_str, "Unknown (0x%02x)", EXTRACT_U_1(cp))); cp += 1; /* NMacs (correlated with the length) */ ND_TCHECK_1(cp); nmacs = EXTRACT_U_1(cp); cp += 1; ND_PRINT(", NMacs: %u", nmacs); if (AOEV1_RESERVE_ARG_LEN + nmacs * MAC_ADDR_LEN != len)
+ show +
20
21
22
23
24
25
goto invalid; /* addresses */ for (i = 0; i < nmacs; i++) { ND_PRINT("\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)); cp += MAC_ADDR_LEN; }
+ show +
26
27
28
29
30
31
32
33
34
return; invalid: nd_print_invalid(ndo); ND_TCHECK_LEN(cp, ep - cp); return; trunc: nd_print_trunc(ndo); }
.\cloneFuncs\totalClone\Type-3\CVE-2017-16808_before_6mo_1529903266_aoev1_reserve_print.c
10
11
12
13
14
15
16
17
18
19
/* RCmd */ ND_TCHECK_1(cp); ND_PRINT("\n\tRCmd: %s", tok2str(aoev1_rcmd_str, "Unknown (0x%02x)", EXTRACT_U_1(cp))); cp += 1; /* NMacs (correlated with the length) */ ND_TCHECK_1(cp); nmacs = EXTRACT_U_1(cp); cp += 1; ND_PRINT(", NMacs: %u", nmacs); if (AOEV1_RESERVE_ARG_LEN + nmacs * MAC_ADDR_LEN != len)
+ show +
20
21
22
23
24
25
goto invalid; /* addresses */ for (i = 0; i < nmacs; i++) { ND_PRINT("\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)); cp += MAC_ADDR_LEN; }
+ show +
26
27
28
29
30
31
32
33
34
return; invalid: ND_PRINT("%s", istr); ND_TCHECK_LEN(cp, ep - cp); return; trunc: nd_print_trunc(ndo); }

[linux_CVE-2017-16995_1513656714_check_alu_op.diff] check_alu_op_OLD.c #1
* remember the value we stored into this reg */ regs[insn->dst_reg].type = SCALAR_VALUE; - __mark_reg_known(regs + insn->dst_reg, insn->imm); + if (BPF_CLASS(insn->code) == BPF_ALU64) { + __mark_reg_known(regs + insn->dst_reg, + insn->imm); + } else { + __mark_reg_known(regs + insn->dst_reg, + (u32)insn->imm); + } } } else if (opcode > BPF_END) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-16995_before_1mo_1510526949_check_alu_op.c
77
78
79
80
81
82
83
84
85
86
return -EACCES; } mark_reg_unknown(env, regs, insn->dst_reg); /* high 32 bits are known zero. */ regs[insn->dst_reg].var_off = tnum_cast( regs[insn->dst_reg].var_off, 4); __update_reg_bounds(&regs[insn->dst_reg]); } } else { /* case: R = imm
+ show +
87
88
89
90
91
92
93
* remember the value we stored into this reg */ regs[insn->dst_reg].type = SCALAR_VALUE; __mark_reg_known(regs + insn->dst_reg, insn->imm); } } else if (opcode > BPF_END) {
+ show +
94
95
96
97
98
99
100
101
102
103
verbose(env, "invalid BPF_ALU opcode %x\n", opcode); return -EINVAL; } else { /* all other ALU ops: and, sub, xor, add, ... */ if (BPF_SRC(insn->code) == BPF_X) { if (insn->imm != 0 || insn->off != 0) { verbose(env, "BPF_ALU uses reserved fields\n"); return -EINVAL; }

[linux_CVE-2017-16996_1513656715_check_alu_op.diff] check_alu_op_OLD.c #1
return -EACCES; } mark_reg_unknown(env, regs, insn->dst_reg); - /* high 32 bits are known zero. */ - regs[insn->dst_reg].var_off = tnum_cast( - regs[insn->dst_reg].var_off, 4); - __update_reg_bounds(®s[insn->dst_reg]); + coerce_reg_to_size(®s[insn->dst_reg], 4); } } else { /* case: R = imm
.\cloneFuncs\totalClone\Type-1\CVE-2017-16995_before_1mo_1510526949_check_alu_op.c
67
68
69
70
71
72
73
74
75
76
* copy register state to dest reg */ regs[insn->dst_reg] = regs[insn->src_reg]; regs[insn->dst_reg].live |= REG_LIVE_WRITTEN; } else { /* R1 = (u32) R2 */ if (is_pointer_value(env, insn->src_reg)) { verbose(env, "R%d partial copy of pointer\n", insn->src_reg);
+ show +
77
78
79
80
81
82
83
84
85
86
return -EACCES; } mark_reg_unknown(env, regs, insn->dst_reg); /* high 32 bits are known zero. */ regs[insn->dst_reg].var_off = tnum_cast( regs[insn->dst_reg].var_off, 4); __update_reg_bounds(&regs[insn->dst_reg]); } } else { /* case: R = imm
+ show +
87
88
89
90
91
92
93
94
95
96
* remember the value we stored into this reg */ regs[insn->dst_reg].type = SCALAR_VALUE; __mark_reg_known(regs + insn->dst_reg, insn->imm); } } else if (opcode > BPF_END) { verbose(env, "invalid BPF_ALU opcode %x\n", opcode); return -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2017-16996_before_imd_1513656714_check_alu_op.c
67
68
69
70
71
72
73
74
75
76
* copy register state to dest reg */ regs[insn->dst_reg] = regs[insn->src_reg]; regs[insn->dst_reg].live |= REG_LIVE_WRITTEN; } else { /* R1 = (u32) R2 */ if (is_pointer_value(env, insn->src_reg)) { verbose(env, "R%d partial copy of pointer\n", insn->src_reg);
+ show +
77
78
79
80
81
82
83
84
85
86
return -EACCES; } mark_reg_unknown(env, regs, insn->dst_reg); /* high 32 bits are known zero. */ regs[insn->dst_reg].var_off = tnum_cast( regs[insn->dst_reg].var_off, 4); __update_reg_bounds(&regs[insn->dst_reg]); } } else { /* case: R = imm
+ show +
87
88
89
90
91
92
93
94
95
96
* remember the value we stored into this reg */ regs[insn->dst_reg].type = SCALAR_VALUE; if (BPF_CLASS(insn->code) == BPF_ALU64) { __mark_reg_known(regs + insn->dst_reg, insn->imm); } else { __mark_reg_known(regs + insn->dst_reg, (u32)insn->imm); }

[linux_CVE-2017-16996_1513656715_adjust_scalar_min_max_vals.diff] adjust_scalar_min_max_vals_OLD.c #1
if (BPF_CLASS(insn->code) != BPF_ALU64) { /* 32-bit ALU ops are (32,32)->64 */ - coerce_reg_to_32(dst_reg); - coerce_reg_to_32(&src_reg); + coerce_reg_to_size(dst_reg, 4); + coerce_reg_to_size(&src_reg, 4); } smin_val = src_reg.smin_value; smax_val = src_reg.smax_value;
.\cloneFuncs\totalClone\Type-1\CVE-2017-16996_before_imd_1513656714_adjust_scalar_min_max_vals.c
2
3
4
5
6
7
8
9
10
11
struct bpf_insn *insn, struct bpf_reg_state *dst_reg, struct bpf_reg_state src_reg) { struct bpf_reg_state *regs = cur_regs(env); u8 opcode = BPF_OP(insn->code); bool src_known, dst_known; s64 smin_val, smax_val; u64 umin_val, umax_val;
+ show +
12
13
14
15
16
17
18
if (BPF_CLASS(insn->code) != BPF_ALU64) { /* 32-bit ALU ops are (32,32)->64 */ coerce_reg_to_32(dst_reg); coerce_reg_to_32(&src_reg); } smin_val = src_reg.smin_value; smax_val = src_reg.smax_value;
+ show +
19
20
21
22
23
24
25
26
27
28
umin_val = src_reg.umin_value; umax_val = src_reg.umax_value; src_known = tnum_is_const(src_reg.var_off); dst_known = tnum_is_const(dst_reg->var_off); switch (opcode) { case BPF_ADD: if (signed_add_overflows(dst_reg->smin_value, smin_val) || signed_add_overflows(dst_reg->smax_value, smax_val)) { dst_reg->smin_value = S64_MIN;
.\cloneFuncs\totalClone\Type-3\CVE-2017-16996_before_1mo_1510526949_adjust_scalar_min_max_vals.c
2
3
4
5
6
7
8
9
10
11
struct bpf_insn *insn, struct bpf_reg_state *dst_reg, struct bpf_reg_state src_reg) { struct bpf_reg_state *regs = cur_regs(env); u8 opcode = BPF_OP(insn->code); bool src_known, dst_known; s64 smin_val, smax_val; u64 umin_val, umax_val;
+ show +
12
13
14
15
16
17
18
if (BPF_CLASS(insn->code) != BPF_ALU64) { /* 32-bit ALU ops are (32,32)->64 */ coerce_reg_to_32(dst_reg); coerce_reg_to_32(&src_reg); } smin_val = src_reg.smin_value; smax_val = src_reg.smax_value;
+ show +
19
20
21
22
23
24
25
26
27
28
umin_val = src_reg.umin_value; umax_val = src_reg.umax_value; src_known = tnum_is_const(src_reg.var_off); dst_known = tnum_is_const(dst_reg->var_off); switch (opcode) { case BPF_ADD: if (signed_add_overflows(dst_reg->smin_value, smin_val) || signed_add_overflows(dst_reg->smax_value, smax_val)) { dst_reg->smin_value = S64_MIN;

[linux_CVE-2017-17741_1513302050_io_mem_abort.diff] io_mem_abort_OLD.c #1
data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt), len); - trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data); + trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data); kvm_mmio_write_buf(data_buf, len, data); ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len, data_buf); } else { trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len, - fault_ipa, 0); + fault_ipa, NULL); ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len, data_buf);
.\cloneFuncs\totalClone\Type-1\CVE-2017-17741_before_imd_1493898857_io_mem_abort.c
18
19
20
21
22
23
24
25
26
27
if (ret) return ret; } else { kvm_err("load/store instruction decoding not implemented\n"); return -ENOSYS; } rt = vcpu->arch.mmio_decode.rt; if (is_write) {
+ show +
28
29
30
31
32
33
34
35
36
37
38
39
40
41
data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt), len); trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data); kvm_mmio_write_buf(data_buf, len, data); ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len, data_buf); } else { trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len, fault_ipa, 0); ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len, data_buf);
+ show +
42
43
44
45
46
47
48
49
50
51
} /* Now prepare kvm_run for the potential return to userland. */ run->mmio.is_write = is_write; run->mmio.phys_addr = fault_ipa; run->mmio.len = len; if (!ret) { /* We handled the access successfully in the kernel. */ if (!is_write)

[linux_CVE-2017-2584_1484188109_em_fxrstor.diff] em_fxrstor_OLD.c #1
if (rc != X86EMUL_CONTINUE) return rc; - rc = segmented_read(ctxt, ctxt->memop.addr.mem, &fx_state, 512); + rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, 512); if (rc != X86EMUL_CONTINUE) return rc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-2584_before_imd_1481672822_em_fxrstor.c
1
2
3
4
5
6
static int em_fxrstor(struct x86_emulate_ctxt *ctxt) { struct fxregs_state fx_state; int rc; rc = check_fxsr(ctxt);
+ show +
7
8
9
10
11
12
if (rc != X86EMUL_CONTINUE) return rc; rc = segmented_read(ctxt, ctxt->memop.addr.mem, &fx_state, 512); if (rc != X86EMUL_CONTINUE) return rc;
+ show +
13
14
15
16
17
18
19
20
21
22
if (fx_state.mxcsr >> 16) return emulate_gp(ctxt, 0); ctxt->ops->get_fpu(ctxt); if (ctxt->mode < X86EMUL_MODE_PROT64) rc = fxrstor_fixup(ctxt, &fx_state); if (rc == X86EMUL_CONTINUE)

[qemu_CVE-2017-2615_1485938101_blit_region_is_unsafe.diff] blit_region_is_unsafe_OLD.c #1
{ if (pitch < 0) { int64_t min = addr - + ((int64_t)s->cirrus_blt_height-1) * pitch; - int32_t max = addr - + s->cirrus_blt_width; - if (min < 0 || max > s->vga.vram_size) { + + ((int64_t)s->cirrus_blt_height - 1) * pitch + - s->cirrus_blt_width; + if (min < -1 || addr >= s->vga.vram_size) { return true; } } else {
.\cloneFuncs\totalClone\Type-1\CVE-2017-2615_before_6mo_1457942488_blit_region_is_unsafe.c
1
2
static bool blit_region_is_unsafe(struct CirrusVGAState *s, int32_t pitch, int32_t addr)
+ show +
3
4
5
6
7
8
9
10
11
12
{ if (pitch < 0) { int64_t min = addr + ((int64_t)s->cirrus_blt_height-1) * pitch; int32_t max = addr + s->cirrus_blt_width; if (min < 0 || max > s->vga.vram_size) { return true; } } else {
+ show +
13
14
15
16
17
18
19
20
21
int64_t max = addr + ((int64_t)s->cirrus_blt_height-1) * pitch + s->cirrus_blt_width; if (max > s->vga.vram_size) { return true; } } return false; }

[qemu_CVE-2017-2620_1486549116_cirrus_bitblt_cputovideo.diff] cirrus_bitblt_cputovideo_OLD.c #1
{ int w; + if (blit_is_unsafe(s, true)) { + return 0; + } + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; s->cirrus_srcptr = &s->cirrus_bltbuf[0]; s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
.\cloneFuncs\totalClone\Type-1\CVE-2017-2620_before_1mo_1476776717_cirrus_bitblt_cputovideo.c
1
static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ show +
2
3
4
5
6
7
{ int w; s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; s->cirrus_srcptr = &s->cirrus_bltbuf[0]; s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+ show +
8
9
10
11
12
13
14
15
16
17
if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) { if (s->cirrus_blt_mode & CIRRUS_BLTMODE_COLOREXPAND) { s->cirrus_blt_srcpitch = 8; } else { /* XXX: check for 24 bpp */ s->cirrus_blt_srcpitch = 8 * 8 * s->cirrus_blt_pixelwidth; } s->cirrus_srccounter = s->cirrus_blt_srcpitch; } else {

[openssl_CVE-2019-1543_1551796755_chacha20_poly1305_ctrl.diff] chacha20_poly1305_ctrl_OLD.c #1
return 1; case EVP_CTRL_AEAD_SET_IVLEN: - if (arg <= 0 || arg > CHACHA_CTR_SIZE) + if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) return 0; actx->nonce_len = arg; return 1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-3731_after_1mo_1508249049_chacha20_poly1305_ctrl.c
25
26
27
28
29
30
31
32
33
34
if (actx) { EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr; dst->cipher_data = OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size()); if (dst->cipher_data == NULL) { EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR); return 0; } }
+ show +
35
36
37
38
39
40
41
return 1; case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0 || arg > CHACHA_CTR_SIZE) return 0; actx->nonce_len = arg; return 1;
+ show +
42
43
44
45
46
47
48
49
50
51
case EVP_CTRL_AEAD_SET_IV_FIXED: if (arg != 12) return 0; actx->nonce[0] = actx->key.counter[1] = CHACHA_U8TOU32((unsigned char *)ptr); actx->nonce[1] = actx->key.counter[2] = CHACHA_U8TOU32((unsigned char *)ptr+4); actx->nonce[2] = actx->key.counter[3] = CHACHA_U8TOU32((unsigned char *)ptr+8);
.\cloneFuncs\totalClone\Type-1\CVE-2017-3731_before_1mo_1478265706_chacha20_poly1305_ctrl.c
25
26
27
28
29
30
31
32
33
34
if (actx) { EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr; dst->cipher_data = OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size()); if (dst->cipher_data == NULL) { EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR); return 0; } }
+ show +
35
36
37
38
39
40
41
return 1; case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0 || arg > CHACHA_CTR_SIZE) return 0; actx->nonce_len = arg; return 1;
+ show +
42
43
44
45
46
47
48
49
50
51
case EVP_CTRL_AEAD_SET_IV_FIXED: if (arg != 12) return 0; actx->nonce[0] = actx->key.counter[1] = CHACHA_U8TOU32((unsigned char *)ptr); actx->nonce[1] = actx->key.counter[2] = CHACHA_U8TOU32((unsigned char *)ptr+4); actx->nonce[2] = actx->key.counter[3] = CHACHA_U8TOU32((unsigned char *)ptr+8);
.\cloneFuncs\totalClone\Type-1\CVE-2019-1543_before_1mo_1544100006_chacha20_poly1305_ctrl.c
26
27
28
29
30
31
32
33
34
35
if (actx) { EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr; dst->cipher_data = OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size()); if (dst->cipher_data == NULL) { EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR); return 0; } }
+ show +
36
37
38
39
40
41
42
return 1; case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0 || arg > CHACHA_CTR_SIZE) return 0; actx->nonce_len = arg; return 1;
+ show +
43
44
45
46
47
48
49
50
51
52
case EVP_CTRL_AEAD_SET_IV_FIXED: if (arg != 12) return 0; actx->nonce[0] = actx->key.counter[1] = CHACHA_U8TOU32((unsigned char *)ptr); actx->nonce[1] = actx->key.counter[2] = CHACHA_U8TOU32((unsigned char *)ptr+4); actx->nonce[2] = actx->key.counter[3] = CHACHA_U8TOU32((unsigned char *)ptr+8);
.\cloneFuncs\totalClone\Type-3\CVE-2017-3731_before_6mo_1462877168_chacha20_poly1305_ctrl.c
23
24
25
26
27
28
29
30
31
32
case EVP_CTRL_COPY: if (actx) { if ((((EVP_CIPHER_CTX *)ptr)->cipher_data = OPENSSL_memdup(actx,sizeof(*actx) + Poly1305_ctx_size())) == NULL) { EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR); return 0; } }
+ show +
33
34
35
36
37
38
39
return 1; case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0 || arg > CHACHA_CTR_SIZE) return 0; actx->nonce_len = arg; return 1;
+ show +
40
41
42
43
44
45
46
47
48
49
case EVP_CTRL_AEAD_SET_IV_FIXED: if (arg != 12) return 0; actx->nonce[0] = actx->key.counter[1] = CHACHA_U8TOU32((unsigned char *)ptr); actx->nonce[1] = actx->key.counter[2] = CHACHA_U8TOU32((unsigned char *)ptr+4); actx->nonce[2] = actx->key.counter[3] = CHACHA_U8TOU32((unsigned char *)ptr+8);

[openssl_CVE-2017-3731_1484781649_chacha20_poly1305_ctrl.diff] chacha20_poly1305_ctrl_OLD.c #1
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | aad[EVP_AEAD_TLS1_AAD_LEN - 1]; if (!ctx->encrypt) { + if (len < POLY1305_BLOCK_SIZE) + return 0; len -= POLY1305_BLOCK_SIZE; /* discount attached tag */ memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2); aad = temp;
.\cloneFuncs\totalClone\Type-1\CVE-2017-3731_before_1mo_1478265706_chacha20_poly1305_ctrl.c
66
67
68
69
70
71
72
73
74
75
memcpy(ptr, actx->tag, arg); return 1; case EVP_CTRL_AEAD_TLS1_AAD: if (arg != EVP_AEAD_TLS1_AAD_LEN) return 0; { unsigned int len; unsigned char *aad = ptr, temp[POLY1305_BLOCK_SIZE];
+ show +
76
77
78
79
80
81
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | aad[EVP_AEAD_TLS1_AAD_LEN - 1]; if (!ctx->encrypt) { len -= POLY1305_BLOCK_SIZE; /* discount attached tag */ memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2); aad = temp;
+ show +
82
83
84
85
86
87
88
89
90
91
temp[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8); temp[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len; } actx->tls_payload_length = len; /* * merge record sequence number as per * draft-ietf-tls-chacha20-poly1305-03 */ actx->key.counter[1] = actx->nonce[0];
.\cloneFuncs\totalClone\Type-3\CVE-2017-3731_before_6mo_1462877168_chacha20_poly1305_ctrl.c
64
65
66
67
68
69
70
71
72
73
memcpy(ptr, actx->tag, arg); return 1; case EVP_CTRL_AEAD_TLS1_AAD: if (arg != EVP_AEAD_TLS1_AAD_LEN) return 0; { unsigned int len; unsigned char *aad = ptr, temp[POLY1305_BLOCK_SIZE];
+ show +
74
75
76
77
78
79
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | aad[EVP_AEAD_TLS1_AAD_LEN - 1]; if (!ctx->encrypt) { len -= POLY1305_BLOCK_SIZE; /* discount attached tag */ memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2); aad = temp;
+ show +
80
81
82
83
84
85
86
87
88
89
temp[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8); temp[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len; } actx->tls_payload_length = len; /* * merge record sequence number as per * draft-ietf-tls-chacha20-poly1305-03 */ actx->key.counter[1] = actx->nonce[0];

[openssl_CVE-2017-3731_1484781649_chacha20_poly1305_ctrl.diff] chacha20_poly1305_ctrl_OLD.c #2
actx->tls_payload_length = len; /* - * merge record sequence number as per - * draft-ietf-tls-chacha20-poly1305-03 + * merge record sequence number as per RFC7905 */ actx->key.counter[1] = actx->nonce[0]; actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
.\cloneFuncs\totalClone\Type-1\CVE-2017-3731_before_1mo_1478265706_chacha20_poly1305_ctrl.c
75
76
77
78
79
80
81
82
83
84
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | aad[EVP_AEAD_TLS1_AAD_LEN - 1]; if (!ctx->encrypt) { len -= POLY1305_BLOCK_SIZE; /* discount attached tag */ memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2); aad = temp; temp[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8); temp[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len; }
+ show +
85
86
87
88
89
90
91
92
actx->tls_payload_length = len; /* * merge record sequence number as per * draft-ietf-tls-chacha20-poly1305-03 */ actx->key.counter[1] = actx->nonce[0]; actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
+ show +
93
94
95
96
97
98
99
100
101
102
actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4); actx->mac_inited = 0; chacha20_poly1305_cipher(ctx, NULL, aad, EVP_AEAD_TLS1_AAD_LEN); return POLY1305_BLOCK_SIZE; /* tag length */ } case EVP_CTRL_AEAD_SET_MAC_KEY: /* no-op */ return 1;
.\cloneFuncs\totalClone\Type-3\CVE-2017-3731_before_6mo_1462877168_chacha20_poly1305_ctrl.c
73
74
75
76
77
78
79
80
81
82
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | aad[EVP_AEAD_TLS1_AAD_LEN - 1]; if (!ctx->encrypt) { len -= POLY1305_BLOCK_SIZE; /* discount attached tag */ memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2); aad = temp; temp[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8); temp[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len; }
+ show +
83
84
85
86
87
88
89
90
actx->tls_payload_length = len; /* * merge record sequence number as per * draft-ietf-tls-chacha20-poly1305-03 */ actx->key.counter[1] = actx->nonce[0]; actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
+ show +
91
92
93
94
95
96
97
98
99
100
actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4); actx->mac_inited = 0; chacha20_poly1305_cipher(ctx, NULL, aad, EVP_AEAD_TLS1_AAD_LEN); return POLY1305_BLOCK_SIZE; /* tag length */ } case EVP_CTRL_AEAD_SET_MAC_KEY: /* no-op */ return 1;

[openssl_CVE-2017-3733_1486133149_ssl3_get_record.diff] ssl3_get_record_OLD.c #1
unsigned char *mac; /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); - if (imac_size < 0) { + assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE); + if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP); goto f_err; } mac_size = (size_t)imac_size; - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); for (j = 0; j < num_recs; j++) { thisrr = &rr[j];
.\cloneFuncs\totalClone\Type-1\CVE-2017-3733_before_imd_1486130780_ssl3_get_record.c
253
254
255
256
257
258
259
260
261
262
&& s->enc_read_ctx != NULL && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) & EVP_CIPH_FLAG_PIPELINE) && ssl3_record_app_data_waiting(s)); /* * If in encrypt-then-mac mode calculate mac from encrypted record. All * the details below are public so no timing details can leak. */ if (SSL_READ_ETM(s) && s->read_hash) {
+ show +
263
264
265
266
267
268
269
270
271
272
273
274
unsigned char *mac; /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); if (imac_size < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP); goto f_err; } mac_size = (size_t)imac_size; OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); for (j = 0; j < num_recs; j++) { thisrr = &rr[j];
+ show +
275
276
277
278
279
280
281
282
283
284
if (thisrr->length < mac_size) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); goto f_err; } thisrr->length -= mac_size; mac = thisrr->data + thisrr->length; i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
.\cloneFuncs\totalClone\Type-2\CVE-2017-3733_before_1mo_1480676956_ssl3_get_record.c
253
254
255
256
257
258
259
260
261
262
&& s->enc_read_ctx != NULL && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) & EVP_CIPH_FLAG_PIPELINE) && ssl3_record_app_data_waiting(s)); /* * If in encrypt-then-mac mode calculate mac from encrypted record. All * the details below are public so no timing details can leak. */ if (SSL_USE_ETM(s) && s->read_hash) {
+ show +
263
264
265
266
267
268
269
270
271
272
273
274
unsigned char *mac; /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); if (imac_size < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP); goto f_err; } mac_size = (size_t)imac_size; OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); for (j = 0; j < num_recs; j++) { thisrr = &rr[j];
+ show +
275
276
277
278
279
280
281
282
283
284
if (thisrr->length < mac_size) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); goto f_err; } thisrr->length -= mac_size; mac = thisrr->data + thisrr->length; i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {

[tcpdump_CVE-2017-5202_1482527478_clnp_print.diff] clnp_print_OLD.c #1
pptr += sizeof(struct clnp_header_t); li -= sizeof(struct clnp_header_t); + ND_TCHECK(*pptr); dest_address_length = *pptr; dest_address = pptr + 1; pptr += (1 + dest_address_length); li -= (1 + dest_address_length); + ND_TCHECK(*pptr); source_address_length = *pptr; source_address = pptr +1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-5202_before_1mo_1471182139_clnp_print.c
24
25
26
27
28
29
30
31
32
33
if (clnp_header->version != CLNP_VERSION) { ND_PRINT((ndo, "version %d packet not supported", clnp_header->version)); return (0); } /* FIXME further header sanity checking */ clnp_pdu_type = clnp_header->type & CLNP_PDU_TYPE_MASK; clnp_flags = clnp_header->type & CLNP_FLAG_MASK;
+ show +
34
35
36
37
38
39
40
41
42
pptr += sizeof(struct clnp_header_t); li -= sizeof(struct clnp_header_t); dest_address_length = *pptr; dest_address = pptr + 1; pptr += (1 + dest_address_length); li -= (1 + dest_address_length); source_address_length = *pptr; source_address = pptr +1;
+ show +
43
44
45
46
47
48
49
50
51
52
pptr += (1 + source_address_length); li -= (1 + source_address_length); if (ndo->ndo_vflag < 1) { ND_PRINT((ndo, "%s%s > %s, %s, length %u", ndo->ndo_eflag ? "" : ", ", isonsap_string(ndo, source_address, source_address_length), isonsap_string(ndo, dest_address, dest_address_length), tok2str(clnp_pdu_values,"unknown (%u)",clnp_pdu_type),

[tcpdump_CVE-2017-5203_1482526406_bootp_print.diff] bootp_print_OLD.c #1
ND_PRINT((ndo, "BOOTP/DHCP, %s", tok2str(bootp_op_values, "unknown (0x%02x)", bp->bp_op))); + ND_TCHECK(bp->bp_hlen); if (bp->bp_htype == 1 && bp->bp_hlen == 6 && bp->bp_op == BOOTPREQUEST) { ND_TCHECK2(bp->bp_chaddr[0], 6); ND_PRINT((ndo, " from %s", etheraddr_string(ndo, bp->bp_chaddr)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-5203_before_imd_1437438221_bootp_print.c
2
3
4
5
6
7
8
9
10
11
bootp_print(netdissect_options *ndo, register const u_char *cp, u_int length) { register const struct bootp *bp; static const u_char vm_cmu[4] = VM_CMU; static const u_char vm_rfc1048[4] = VM_RFC1048; bp = (const struct bootp *)cp; ND_TCHECK(bp->bp_op);
+ show +
12
13
14
15
16
17
ND_PRINT((ndo, "BOOTP/DHCP, %s", tok2str(bootp_op_values, "unknown (0x%02x)", bp->bp_op))); if (bp->bp_htype == 1 && bp->bp_hlen == 6 && bp->bp_op == BOOTPREQUEST) { ND_TCHECK2(bp->bp_chaddr[0], 6); ND_PRINT((ndo, " from %s", etheraddr_string(ndo, bp->bp_chaddr)));
+ show +
18
19
20
21
22
23
24
25
26
27
} ND_PRINT((ndo, ", length %u", length)); if (!ndo->ndo_vflag) return; ND_TCHECK(bp->bp_secs); /* The usual hardware address type is 1 (10Mb Ethernet) */
.\cloneFuncs\totalClone\Type-3\CVE-2017-13028_before_6mo_1471267648_bootp_print.c
2
3
4
5
6
7
8
9
10
11
bootp_print(netdissect_options *ndo, register const u_char *cp, u_int length) { register const struct bootp *bp; static const u_char vm_cmu[4] = VM_CMU; static const u_char vm_rfc1048[4] = VM_RFC1048; bp = (const struct bootp *)cp; ND_TCHECK(bp->bp_op);
+ show +
12
13
14
15
16
17
ND_PRINT((ndo, "BOOTP/DHCP, %s", tok2str(bootp_op_values, "unknown (0x%02x)", bp->bp_op))); if (bp->bp_htype == 1 && bp->bp_hlen == 6 && bp->bp_op == BOOTPREQUEST) { ND_TCHECK2(bp->bp_chaddr[0], 6); ND_PRINT((ndo, " from %s", etheraddr_string(ndo, bp->bp_chaddr)));
+ show +
18
19
20
21
22
23
24
25
26
27
} ND_PRINT((ndo, ", length %u", length)); if (!ndo->ndo_vflag) return; ND_TCHECK(bp->bp_secs); /* The usual hardware address type is 1 (10Mb Ethernet) */

[tcpdump_CVE-2017-5204_1483923706_ip6_print.diff] ip6_print_OLD.c #1
switch (nh) { case IPPROTO_HOPOPTS: advance = hbhopt_print(ndo, cp); + if (advance < 0) + return; nh = *cp; break; case IPPROTO_DSTOPTS: advance = dstopt_print(ndo, cp); + if (advance < 0) + return; nh = *cp; break; case IPPROTO_FRAGMENT: advance = frag6_print(ndo, cp, (const u_char *)ip6); - if (ndo->ndo_snapend <= cp + advance) + if (advance < 0 || ndo->ndo_snapend <= cp + advance) return; nh = *cp; fragmented = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-5204_before_imd_1436060711_ip6_print.c
71
72
73
74
75
76
77
78
79
80
cp += advance; len -= advance; if (cp == (const u_char *)(ip6 + 1) && nh != IPPROTO_TCP && nh != IPPROTO_UDP && nh != IPPROTO_DCCP && nh != IPPROTO_SCTP) { ND_PRINT((ndo, "%s > %s: ", ip6addr_string(ndo, &ip6->ip6_src), ip6addr_string(ndo, &ip6->ip6_dst))); }
+ show +
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
switch (nh) { case IPPROTO_HOPOPTS: advance = hbhopt_print(ndo, cp); nh = *cp; break; case IPPROTO_DSTOPTS: advance = dstopt_print(ndo, cp); nh = *cp; break; case IPPROTO_FRAGMENT: advance = frag6_print(ndo, cp, (const u_char *)ip6); if (ndo->ndo_snapend <= cp + advance) return; nh = *cp; fragmented = 1;
+ show +
96
97
98
99
100
101
102
103
104
105
break; case IPPROTO_MOBILITY_OLD: case IPPROTO_MOBILITY: /* * XXX - we don't use "advance"; RFC 3775 says that * the next header field in a mobility header * should be IPPROTO_NONE, but speaks of * the possiblity of a future extension in * which payload can be piggybacked atop a
.\cloneFuncs\totalClone\Type-3\CVE-2017-5204_before_1mo_1471182139_ip6_print.c
71
72
73
74
75
76
77
78
79
80
cp += advance; len -= advance; if (cp == (const u_char *)(ip6 + 1) && nh != IPPROTO_TCP && nh != IPPROTO_UDP && nh != IPPROTO_DCCP && nh != IPPROTO_SCTP) { ND_PRINT((ndo, "%s > %s: ", ip6addr_string(ndo, &ip6->ip6_src), ip6addr_string(ndo, &ip6->ip6_dst))); }
+ show +
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
switch (nh) { case IPPROTO_HOPOPTS: advance = hbhopt_print(ndo, cp); nh = *cp; break; case IPPROTO_DSTOPTS: advance = dstopt_print(ndo, cp); nh = *cp; break; case IPPROTO_FRAGMENT: advance = frag6_print(ndo, cp, (const u_char *)ip6); if (ndo->ndo_snapend <= cp + advance) return; nh = *cp; fragmented = 1;
+ show +
96
97
98
99
100
101
102
103
104
105
break; case IPPROTO_MOBILITY_OLD: case IPPROTO_MOBILITY: /* * XXX - we don't use "advance"; RFC 3775 says that * the next header field in a mobility header * should be IPPROTO_NONE, but speaks of * the possiblity of a future extension in * which payload can be piggybacked atop a

[tcpdump_CVE-2017-5205_1484516966_ikev2_sub0_print.diff] ikev2_sub0_print_OLD.c #1
static const u_char * ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, - u_char np, int pcount, + u_char np, const struct isakmp_gen *ext, const u_char *ep, uint32_t phase, uint32_t doi, uint32_t proto, int depth) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-5205_before_1mo_1471564715_ikev2_sub0_print.c
+ show +
1
2
3
4
5
6
static const u_char * ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, u_char np, int pcount, const struct isakmp_gen *ext, const u_char *ep, uint32_t phase, uint32_t doi, uint32_t proto, int depth) {
+ show +
7
8
9
10
11
12
13
14
15
16
const u_char *cp; struct isakmp_gen e; u_int item_len; cp = (const u_char *)ext; ND_TCHECK(*ext); UNALIGNED_MEMCPY(&e, ext, sizeof(e)); /* * Since we can't have a payload length of less than 4 bytes,

[tcpdump_CVE-2017-5205_1484516966_ikev2_sub0_print.diff] ikev2_sub0_print_OLD.c #2
if (item_len <= 4) return NULL; - if(np == ISAKMP_NPTYPE_P) { - cp = ikev2_p_print(ndo, np, pcount, ext, item_len, - ep, phase, doi, proto, depth); - } else if(np == ISAKMP_NPTYPE_T) { - cp = ikev2_t_print(ndo, np, pcount, ext, item_len, - ep, phase, doi, proto, depth); - } else if(np == ISAKMP_NPTYPE_v2E) { + if (np == ISAKMP_NPTYPE_v2E) { cp = ikev2_e_print(ndo, base, np, ext, item_len, ep, phase, doi, proto, depth); } else if (NPFUNC(np)) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-5205_before_1mo_1471564715_ikev2_sub0_print.c
12
13
14
15
16
17
18
19
20
21
ND_TCHECK(*ext); UNALIGNED_MEMCPY(&e, ext, sizeof(e)); /* * Since we can't have a payload length of less than 4 bytes, * we need to bail out here if the generic header is nonsensical * or truncated, otherwise we could loop forever processing * zero-length items or otherwise misdissect the packet. */ item_len = ntohs(e.len);
+ show +
22
23
24
25
26
27
28
29
30
31
32
33
34
if (item_len <= 4) return NULL; if(np == ISAKMP_NPTYPE_P) { cp = ikev2_p_print(ndo, np, pcount, ext, item_len, ep, phase, doi, proto, depth); } else if(np == ISAKMP_NPTYPE_T) { cp = ikev2_t_print(ndo, np, pcount, ext, item_len, ep, phase, doi, proto, depth); } else if(np == ISAKMP_NPTYPE_v2E) { cp = ikev2_e_print(ndo, base, np, ext, item_len, ep, phase, doi, proto, depth); } else if (NPFUNC(np)) {
+ show +
35
36
37
38
39
40
41
42
43
44
/* * XXX - what if item_len is too short, or too long, * for this payload type? */ cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len, ep, phase, doi, proto, depth); } else { ND_PRINT((ndo,"%s", NPSTR(np))); cp += item_len; }

[tcpdump_CVE-2017-5205_1484516966_ikev2_sub0_print.diff] ikev2_sub0_print_OLD.c #3
* XXX - what if item_len is too short, or too long, * for this payload type? */ - cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len, + cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); } else { ND_PRINT((ndo,"%s", NPSTR(np)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-5205_before_1mo_1471564715_ikev2_sub0_print.c
26
27
28
29
30
31
32
33
34
35
cp = ikev2_p_print(ndo, np, pcount, ext, item_len, ep, phase, doi, proto, depth); } else if(np == ISAKMP_NPTYPE_T) { cp = ikev2_t_print(ndo, np, pcount, ext, item_len, ep, phase, doi, proto, depth); } else if(np == ISAKMP_NPTYPE_v2E) { cp = ikev2_e_print(ndo, base, np, ext, item_len, ep, phase, doi, proto, depth); } else if (NPFUNC(np)) { /*
+ show +
36
37
38
39
40
41
42
* XXX - what if item_len is too short, or too long, * for this payload type? */ cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len, ep, phase, doi, proto, depth); } else { ND_PRINT((ndo,"%s", NPSTR(np)));
+ show +
43
44
45
46
47
48
49
50
cp += item_len; } return cp; trunc: ND_PRINT((ndo," [|isakmp]")); return NULL; }

[tcpdump_CVE-2017-5205_1484516966_ikev2_sub_print.diff] ikev2_sub_print_OLD.c #1
{ const u_char *cp; int i; - int pcount; struct isakmp_gen e; cp = (const u_char *)ext; - pcount = 0; while (np) { - pcount++; ND_TCHECK(*ext); UNALIGNED_MEMCPY(&e, ext, sizeof(e));
.\cloneFuncs\totalClone\Type-1\CVE-2017-5205_before_1mo_1471564715_ikev2_sub_print.c
1
2
3
4
5
static const u_char * ikev2_sub_print(netdissect_options *ndo, struct isakmp *base, u_char np, const struct isakmp_gen *ext, const u_char *ep, uint32_t phase, uint32_t doi, uint32_t proto, int depth)
+ show +
6
7
8
9
10
11
12
13
14
15
16
17
18
{ const u_char *cp; int i; int pcount; struct isakmp_gen e; cp = (const u_char *)ext; pcount = 0; while (np) { pcount++; ND_TCHECK(*ext); UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+ show +
19
20
21
22
23
24
25
26
27
28
ND_TCHECK2(*ext, ntohs(e.len)); depth++; ND_PRINT((ndo,"\n")); for (i = 0; i < depth; i++) ND_PRINT((ndo," ")); ND_PRINT((ndo,"(")); cp = ikev2_sub0_print(ndo, base, np, pcount, ext, ep, phase, doi, proto, depth);

[tcpdump_CVE-2017-5205_1484516966_ikev2_sub_print.diff] ikev2_sub_print_OLD.c #2
for (i = 0; i < depth; i++) ND_PRINT((ndo," ")); ND_PRINT((ndo,"(")); - cp = ikev2_sub0_print(ndo, base, np, pcount, + cp = ikev2_sub0_print(ndo, base, np, ext, ep, phase, doi, proto, depth); ND_PRINT((ndo,")")); depth--;
.\cloneFuncs\totalClone\Type-1\CVE-2017-5205_before_1mo_1471564715_ikev2_sub_print.c
14
15
16
17
18
19
20
21
22
23
while (np) { pcount++; ND_TCHECK(*ext); UNALIGNED_MEMCPY(&e, ext, sizeof(e)); ND_TCHECK2(*ext, ntohs(e.len)); depth++; ND_PRINT((ndo,"\n"));
+ show +
24
25
26
27
28
29
30
for (i = 0; i < depth; i++) ND_PRINT((ndo," ")); ND_PRINT((ndo,"(")); cp = ikev2_sub0_print(ndo, base, np, pcount, ext, ep, phase, doi, proto, depth); ND_PRINT((ndo,")")); depth--;
+ show +
31
32
33
34
35
36
37
38
39
40
if (cp == NULL) { /* Zero-length subitem */ return NULL; } np = e.np; ext = (const struct isakmp_gen *)cp; } return cp;

[tcpdump_CVE-2017-5205_1484516966_ikev2_t_print.diff] ikev2_t_print_OLD.c #1
static const u_char * -ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount, +ikev2_t_print(netdissect_options *ndo, int tcount, const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, - uint32_t proto _U_, int depth _U_) + const u_char *ep) { const struct ikev2_t *p; struct ikev2_t t;
.\cloneFuncs\totalClone\Type-1\CVE-2017-5205_before_1mo_1471564715_ikev2_t_print.c
+ show +
1
2
3
4
5
6
7
8
static const u_char * ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount, const struct isakmp_gen *ext, u_int item_len, const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, uint32_t proto _U_, int depth _U_) { const struct ikev2_t *p; struct ikev2_t t;
+ show +
9
10
11
12
13
14
15
16
17
18
uint16_t t_id; const u_char *cp; const char *idstr; const struct attrmap *map; size_t nmap; const u_char *ep2; p = (const struct ikev2_t *)ext; ND_TCHECK(*p); UNALIGNED_MEMCPY(&t, ext, sizeof(t));

[tcpdump_CVE-2017-5205_1484516966_ikev2_t_print.diff] ikev2_t_print_OLD.c #2
} if (idstr) - ND_PRINT((ndo," #%u type=%s id=%s ", pcount, + ND_PRINT((ndo," #%u type=%s id=%s ", tcount, STR_OR_ID(t.t_type, ikev2_t_type_map), idstr)); else - ND_PRINT((ndo," #%u type=%s id=%u ", pcount, + ND_PRINT((ndo," #%u type=%s id=%u ", tcount, STR_OR_ID(t.t_type, ikev2_t_type_map), t.t_id)); cp = (const u_char *)(p + 1);
.\cloneFuncs\totalClone\Type-1\CVE-2017-5205_before_1mo_1471564715_ikev2_t_print.c
42
43
44
45
46
47
48
49
50
51
idstr = STR_OR_ID(t_id, dh_p_map); break; case IV2_T_ESN: idstr = STR_OR_ID(t_id, esn_p_map); break; default: idstr = NULL; break;
+ show +
52
53
54
55
56
57
58
59
60
61
62
} if (idstr) ND_PRINT((ndo," #%u type=%s id=%s ", pcount, STR_OR_ID(t.t_type, ikev2_t_type_map), idstr)); else ND_PRINT((ndo," #%u type=%s id=%u ", pcount, STR_OR_ID(t.t_type, ikev2_t_type_map), t.t_id)); cp = (const u_char *)(p + 1);
+ show +
63
64
65
66
67
68
69
70
71
72
ep2 = (const u_char *)p + item_len; while (cp < ep && cp < ep2) { if (map && nmap) { cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, map, nmap); } else cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); } if (ep < ep2) ND_PRINT((ndo,"..."));

[tcpdump_CVE-2017-5482_1484215774_q933_print.diff] q933_print_OLD.c #1
ND_PRINT((ndo, "%s, codeset %u", is_ansi ? "ANSI" : "CCITT", codeset)); if (call_ref_length != 0) { + ND_TCHECK(p[0]); if (call_ref_length > 1 || p[0] != 0) { /* * Not a dummy call reference.
.\cloneFuncs\totalClone\Type-1\CVE-2017-5482_before_1mo_1474744011_q933_print.c
111
112
113
114
115
116
117
118
119
120
*/ non_locking_shift = 1; unshift_codeset = 0; } } } /* printing out header part */ if (!ndo->ndo_eflag) ND_PRINT((ndo, ", "));
+ show +
121
122
123
124
125
126
ND_PRINT((ndo, "%s, codeset %u", is_ansi ? "ANSI" : "CCITT", codeset)); if (call_ref_length != 0) { if (call_ref_length > 1 || p[0] != 0) { /* * Not a dummy call reference.
+ show +
127
128
129
130
131
132
133
134
135
136
*/ ND_PRINT((ndo, ", Call Ref: 0x")); for (i = 0; i < call_ref_length; i++) ND_PRINT((ndo, "%02x", call_ref[i])); } } if (ndo->ndo_vflag) { ND_PRINT((ndo, ", %s (0x%02x), length %u", tok2str(fr_q933_msg_values, "unknown message", msgtype),

[tcpdump_CVE-2017-5484_1484353247_atm_print.diff] atm_print_OLD.c #1
switch (vci) { case VCI_PPC: - sig_print(ndo, p, caplen); + sig_print(ndo, p); return; case VCI_BCC:
.\cloneFuncs\totalClone\Type-1\CVE-2017-5484_before_1mo_1471182139_atm_print.c
1
2
3
4
5
6
7
8
9
void atm_print(netdissect_options *ndo, u_int vpi, u_int vci, u_int traftype, const u_char *p, u_int length, u_int caplen) { if (ndo->ndo_eflag) ND_PRINT((ndo, "VPI:%u VCI:%u ", vpi, vci)); if (vpi == 0) {
+ show +
10
11
12
13
14
15
16
switch (vci) { case VCI_PPC: sig_print(ndo, p, caplen); return; case VCI_BCC:
+ show +
17
18
19
20
21
22
23
24
25
26
ND_PRINT((ndo, "broadcast sig: ")); return; case VCI_OAMF4SC: /* fall through */ case VCI_OAMF4EC: oam_print(ndo, p, length, ATM_OAM_HEC); return; case VCI_METAC: ND_PRINT((ndo, "meta: "));

[tcpdump_CVE-2017-5485_1486785149_lookup_bytestring.diff] lookup_bytestring_OLD.c #1
tp->bs_addr1 = j; tp->bs_addr2 = k; - tp->bs_bytes = (u_char *) calloc(1, nlen + 1); + tp->bs_bytes = (u_char *) calloc(1, nlen); if (tp->bs_bytes == NULL) (*ndo->ndo_error)(ndo, "lookup_bytestring: calloc");
.\cloneFuncs\totalClone\Type-1\CVE-2017-5485_before_imd_1486176840_lookup_bytestring.c
21
22
23
24
25
26
27
28
29
30
if (nlen == tp->bs_nbytes && tp->bs_addr0 == i && tp->bs_addr1 == j && tp->bs_addr2 == k && memcmp((const char *)bs, (const char *)(tp->bs_bytes), nlen) == 0) return tp; else tp = tp->bs_nxt; tp->bs_addr0 = i;
+ show +
31
32
33
34
35
36
tp->bs_addr1 = j; tp->bs_addr2 = k; tp->bs_bytes = (u_char *) calloc(1, nlen + 1); if (tp->bs_bytes == NULL) (*ndo->ndo_error)(ndo, "lookup_bytestring: calloc");
+ show +
37
38
39
40
41
42
43
44
45
memcpy(tp->bs_bytes, bs, nlen); tp->bs_nbytes = nlen; tp->bs_nxt = (struct bsnamemem *)calloc(1, sizeof(*tp)); if (tp->bs_nxt == NULL) (*ndo->ndo_error)(ndo, "lookup_bytestring: calloc"); return tp; }

[tcpdump_CVE-2017-5485_1486785149_lookup_nsap.diff] lookup_nsap_OLD.c #1
tp = &nsaptable[(i ^ j) & (HASHNAMESIZE-1)]; while (tp->e_nxt) - if (tp->e_addr0 == i && + if (nsap_length == tp->e_nsap[0] && + tp->e_addr0 == i && tp->e_addr1 == j && tp->e_addr2 == k && - tp->e_nsap[0] == nsap_length && - memcmp((const char *)&(nsap[1]), + memcmp((const char *)nsap, (char *)&(tp->e_nsap[1]), nsap_length) == 0) return tp; else
.\cloneFuncs\totalClone\Type-1\CVE-2017-5485_before_imd_1486176840_lookup_nsap.c
8
9
10
11
12
13
14
15
16
17
if (nsap_length > 6) { ensap = nsap + nsap_length - 6; k = (ensap[0] << 8) | ensap[1]; j = (ensap[2] << 8) | ensap[3]; i = (ensap[4] << 8) | ensap[5]; } else i = j = k = 0;
+ show +
18
19
20
21
22
23
24
25
26
27
tp = &nsaptable[(i ^ j) & (HASHNAMESIZE-1)]; while (tp->e_nxt) if (tp->e_addr0 == i && tp->e_addr1 == j && tp->e_addr2 == k && tp->e_nsap[0] == nsap_length && memcmp((const char *)&(nsap[1]), (char *)&(tp->e_nsap[1]), nsap_length) == 0) return tp; else
+ show +
28
29
30
31
32
33
34
35
36
37
tp = tp->e_nxt; tp->e_addr0 = i; tp->e_addr1 = j; tp->e_addr2 = k; tp->e_nsap = (u_char *)malloc(nsap_length + 1); if (tp->e_nsap == NULL) (*ndo->ndo_error)(ndo, "lookup_nsap: malloc"); tp->e_nsap[0] = (u_char)nsap_length; /* guaranteed < ISONSAP_MAX_LENGTH */ memcpy((char *)&tp->e_nsap[1], (const char *)nsap, nsap_length); tp->e_nxt = (struct enamemem *)calloc(1, sizeof(*tp));

[tcpdump_CVE-2017-5486_1484359246_esis_print.diff] esis_print_OLD.c #1
} if (li > length) { - ND_PRINT((ndo, " length indicator(%d) > PDU size (%d)!", li, length)); + ND_PRINT((ndo, " length indicator(%u) > PDU size (%u)!", li, length)); return; } if (li < sizeof(struct esis_header_t) + 2) { - ND_PRINT((ndo, " length indicator < min PDU size %d:", li)); + ND_PRINT((ndo, " length indicator %u < min PDU size:", li)); while (pptr < ndo->ndo_snapend) ND_PRINT((ndo, "%02X", *pptr++)); return;
.\cloneFuncs\totalClone\Type-1\CVE-2017-5486_before_1mo_1474728230_esis_print.c
24
25
26
27
28
29
30
31
32
33
*/ if (esis_header->nlpid != NLPID_ESIS) { ND_PRINT((ndo, " nlpid 0x%02x packet not supported", esis_header->nlpid)); return; } if (esis_header->version != ESIS_VERSION) { ND_PRINT((ndo, " version %d packet not supported", esis_header->version)); return;
+ show +
34
35
36
37
38
39
40
41
42
43
44
45
} if (li > length) { ND_PRINT((ndo, " length indicator(%d) > PDU size (%d)!", li, length)); return; } if (li < sizeof(struct esis_header_t) + 2) { ND_PRINT((ndo, " length indicator < min PDU size %d:", li)); while (pptr < ndo->ndo_snapend) ND_PRINT((ndo, "%02X", *pptr++)); return;
+ show +
46
47
48
49
50
51
52
53
54
55
} esis_pdu_type = esis_header->type & ESIS_PDU_TYPE_MASK; if (ndo->ndo_vflag < 1) { ND_PRINT((ndo, "%s%s, length %u", ndo->ndo_eflag ? "" : ", ", tok2str(esis_pdu_values,"unknown type (%u)",esis_pdu_type), length)); return;

[tcpdump_CVE-2017-5486_1484359246_clnp_print.diff] clnp_print_OLD.c #1
ND_PRINT((ndo, "version %d packet not supported", clnp_header->version)); return (0); } - if (li < sizeof(struct clnp_header_t)) { - ND_PRINT((ndo, "li < size of fixed part of CLNP header")); + + if (li > length) { + ND_PRINT((ndo, " length indicator(%u) > PDU size (%u)!", li, length)); return (0); - } - if (li > length) { - ND_PRINT((ndo, "li > size of packet")); + } + + if (li < sizeof(struct clnp_header_t)) { + ND_PRINT((ndo, " length indicator %u < min PDU size:", li)); + while (pptr < ndo->ndo_snapend) + ND_PRINT((ndo, "%02X", *pptr++)); return (0); }
.\cloneFuncs\totalClone\Type-1\CVE-2017-5486_before_imd_1484255682_clnp_print.c
15
16
17
18
19
20
21
22
23
24
optr = pptr; if (!ndo->ndo_eflag) ND_PRINT((ndo, "CLNP")); /* * Sanity checking of the header. */ if (clnp_header->version != CLNP_VERSION) {
+ show +
25
26
27
28
29
30
31
32
33
34
35
ND_PRINT((ndo, "version %d packet not supported", clnp_header->version)); return (0); } if (li < sizeof(struct clnp_header_t)) { ND_PRINT((ndo, "li < size of fixed part of CLNP header")); return (0); } if (li > length) { ND_PRINT((ndo, "li > size of packet")); return (0); }
+ show +
36
37
38
39
40
41
42
43
44
45
/* FIXME further header sanity checking */ clnp_pdu_type = clnp_header->type & CLNP_PDU_TYPE_MASK; clnp_flags = clnp_header->type & CLNP_FLAG_MASK; pptr += sizeof(struct clnp_header_t); li -= sizeof(struct clnp_header_t); if (li < 1) {

[tcpdump_CVE-2017-5486_1484359246_clnp_print.diff] clnp_print_OLD.c #2
ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses")); return (0); } + ND_TCHECK2(*pptr, dest_address_length); dest_address = pptr; pptr += dest_address_length; li -= dest_address_length;
.\cloneFuncs\totalClone\Type-1\CVE-2017-5486_before_imd_1484255682_clnp_print.c
44
45
46
47
48
49
50
51
52
53
if (li < 1) { ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses")); return (0); } ND_TCHECK(*pptr); dest_address_length = *pptr; pptr += 1; li -= 1; if (li < dest_address_length) {
+ show +
54
55
56
57
58
59
ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses")); return (0); } dest_address = pptr; pptr += dest_address_length; li -= dest_address_length;
+ show +
60
61
62
63
64
65
66
67
68
69
if (li < 1) { ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses")); return (0); } ND_TCHECK(*pptr); source_address_length = *pptr; pptr += 1; li -= 1; if (li < source_address_length) {

[tcpdump_CVE-2017-5486_1484359246_clnp_print.diff] clnp_print_OLD.c #3
ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses")); return (0); } + ND_TCHECK2(*pptr, source_address_length); source_address = pptr; pptr += source_address_length; li -= source_address_length;
.\cloneFuncs\totalClone\Type-1\CVE-2017-5486_before_imd_1484255682_clnp_print.c
60
61
62
63
64
65
66
67
68
69
if (li < 1) { ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses")); return (0); } ND_TCHECK(*pptr); source_address_length = *pptr; pptr += 1; li -= 1; if (li < source_address_length) {
+ show +
70
71
72
73
74
75
ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses")); return (0); } source_address = pptr; pptr += source_address_length; li -= source_address_length;
+ show +
76
77
78
79
80
81
82
83
84
85
if (ndo->ndo_vflag < 1) { ND_PRINT((ndo, "%s%s > %s, %s, length %u", ndo->ndo_eflag ? "" : ", ", isonsap_string(ndo, source_address, source_address_length), isonsap_string(ndo, dest_address, dest_address_length), tok2str(clnp_pdu_values,"unknown (%u)",clnp_pdu_type), length)); return (1); }

[xen_CVE-2017-5715_1520860775_enable_smccc_arch_workaround_1.diff] enable_smccc_arch_workaround_1_OLD.c #1
arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FID, ARM_SMCCC_ARCH_WORKAROUND_1_FID, &res); - if ( res.a0 != ARM_SMCCC_SUCCESS ) + /* The return value is in the lower 32-bits. */ + if ( (int)res.a0 < 0 ) goto warn; return !install_bp_hardening_vec(entry,__smccc_workaround_1_smc_start,
.\cloneFuncs\totalClone\Type-1\CVE-2017-5715_before_imd_1519412243_enable_smccc_arch_workaround_1.c
8
9
10
11
12
13
14
15
16
17
* Enable callbacks are called on every CPU based on the * capabilities. So double-check whether the CPU matches the * entry. */ if ( !entry->matches(entry) ) return 0; if ( smccc_ver < SMCCC_VERSION(1, 1) ) goto warn;
+ show +
18
19
20
21
22
23
arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FID, ARM_SMCCC_ARCH_WORKAROUND_1_FID, &res); if ( res.a0 != ARM_SMCCC_SUCCESS ) goto warn; return !install_bp_hardening_vec(entry,__smccc_workaround_1_smc_start,
+ show +
24
25
26
27
28
29
30
31
32
33
__smccc_workaround_1_smc_end, "call ARM_SMCCC_ARCH_WORKAROUND_1"); warn: if ( !warned ) { ASSERT(system_state < SYS_STATE_active); warning_add("No support for ARM_SMCCC_ARCH_WORKAROUND_1.\n" "Please update your firmware.\n"); warned = false;

[qemu_CVE-2017-5898_1487250819_ccid_handle_bulk_out.diff] ccid_handle_bulk_out_OLD.c #1
} ccid_header = (CCID_Header *)s->bulk_out_data; - if (p->iov.size == CCID_MAX_PACKET_SIZE) { + if ((s->bulk_out_pos - 10 < ccid_header->dwLength) && + (p->iov.size == CCID_MAX_PACKET_SIZE)) { DPRINTF(s, D_VERBOSE, - "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n", - p->iov.size, ccid_header->dwLength); + "usb-ccid: bulk_in: expecting more packets (%d/%d)\n", + s->bulk_out_pos - 10, ccid_header->dwLength); return; } + if (s->bulk_out_pos - 10 != ccid_header->dwLength) { + DPRINTF(s, 1, + "usb-ccid: bulk_in: message size mismatch (got %d, expected %d)\n", + s->bulk_out_pos - 10, ccid_header->dwLength); + goto err; + } DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, ccid_header->bMessageType,
.\cloneFuncs\totalClone\Type-1\CVE-2017-5898_before_imd_1487250818_ccid_handle_bulk_out.c
3
4
5
6
7
8
9
10
11
12
CCID_Header *ccid_header; if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) { goto err; } usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size); s->bulk_out_pos += p->iov.size; if (s->bulk_out_pos < 10) { DPRINTF(s, 1, "%s: header incomplete\n", __func__); goto err;
+ show +
13
14
15
16
17
18
19
20
21
22
23
24
} ccid_header = (CCID_Header *)s->bulk_out_data; if (p->iov.size == CCID_MAX_PACKET_SIZE) { DPRINTF(s, D_VERBOSE, "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n", p->iov.size, ccid_header->dwLength); return; } DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, ccid_header->bMessageType,
+ show +
25
26
27
28
29
30
31
32
33
34
ccid_message_type_to_str(ccid_header->bMessageType)); switch (ccid_header->bMessageType) { case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus: ccid_write_slot_status(s, ccid_header); break; case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn: DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__, ((CCID_IccPowerOn *)(ccid_header))->bPowerSelect); s->powered = true; if (!ccid_card_inserted(s)) {

[linux_CVE-2017-7184_1490255144_xfrm_replay_verify_len.diff] xfrm_replay_verify_len_OLD.c #1
up = nla_data(rp); ulen = xfrm_replay_state_esn_len(up); - if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) + /* Check the overall length and the internal bitmap length to avoid + * potential overflow. */ + if (nla_len(rp) < ulen || + xfrm_replay_state_esn_len(replay_esn) != ulen || + replay_esn->bmp_len != up->bmp_len) return -EINVAL; if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
.\cloneFuncs\totalClone\Type-1\CVE-2017-7184_before_imd_1490167771_xfrm_replay_verify_len.c
1
2
3
4
5
6
7
8
9
static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, struct nlattr *rp) { struct xfrm_replay_state_esn *up; int ulen; if (!replay_esn || !rp) return 0;
+ show +
10
11
12
13
14
15
16
up = nla_data(rp); ulen = xfrm_replay_state_esn_len(up); if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) return -EINVAL; if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+ show +
17
18
19
20
return -EINVAL; return 0; }

[linux_CVE-2017-7472_1492525869_install_thread_keyring.diff] install_thread_keyring_OLD.c #1
if (!new) return -ENOMEM; - BUG_ON(new->thread_keyring); - ret = install_thread_keyring_to_cred(new); if (ret < 0) { abort_creds(new);
.\cloneFuncs\totalClone\Type-1\CVE-2017-7472_before_1mo_1482608761_install_thread_keyring.c
1
2
3
4
5
6
static int install_thread_keyring(void) { struct cred *new; int ret; new = prepare_creds();
+ show +
7
8
9
10
11
12
13
14
if (!new) return -ENOMEM; BUG_ON(new->thread_keyring); ret = install_thread_keyring_to_cred(new); if (ret < 0) { abort_creds(new);
+ show +
15
16
17
18
19
return ret; } return commit_creds(new); }

[linux_CVE-2017-7482_1497481944_rxrpc_krb5_decode_principal.diff] rxrpc_krb5_decode_principal_OLD.c #1
unsigned int *_toklen) { const __be32 *xdr = *_xdr; - unsigned int toklen = *_toklen, n_parts, loop, tmp; + unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen; /* there must be at least one name, and at least #names+1 length * words */
.\cloneFuncs\totalClone\Type-1\CVE-2017-7482_before_1mo_1459774836_rxrpc_krb5_decode_principal.c
1
2
static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, const __be32 **_xdr,
+ show +
3
4
5
6
7
8
9
unsigned int *_toklen) { const __be32 *xdr = *_xdr; unsigned int toklen = *_toklen, n_parts, loop, tmp; /* there must be at least one name, and at least #names+1 length * words */
+ show +
10
11
12
13
14
15
16
17
18
19
if (toklen <= 12) return -EINVAL; _enter(",{%x,%x,%x},%u", ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), toklen); n_parts = ntohl(*xdr++); toklen -= 4; if (n_parts <= 0 || n_parts > AFSTOKEN_K5_COMPONENTS_MAX) return -EINVAL;

[linux_CVE-2017-7482_1497481944_rxrpc_krb5_decode_principal.diff] rxrpc_krb5_decode_principal_OLD.c #2
toklen -= 4; if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX) return -EINVAL; - if (tmp > toklen) + paddedlen = (tmp + 3) & ~3; + if (paddedlen > toklen) return -EINVAL; princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL); if (!princ->name_parts[loop]) return -ENOMEM; memcpy(princ->name_parts[loop], xdr, tmp); princ->name_parts[loop][tmp] = 0; - tmp = (tmp + 3) & ~3; - toklen -= tmp; - xdr += tmp >> 2; + toklen -= paddedlen; + xdr += paddedlen >> 2; } if (toklen < 4)
.\cloneFuncs\totalClone\Type-1\CVE-2017-7482_before_1mo_1459774836_rxrpc_krb5_decode_principal.c
23
24
25
26
27
28
29
30
31
32
return -EINVAL; princ->name_parts = kcalloc(n_parts, sizeof(char *), GFP_KERNEL); if (!princ->name_parts) return -ENOMEM; for (loop = 0; loop < n_parts; loop++) { if (toklen < 4) return -EINVAL; tmp = ntohl(*xdr++);
+ show +
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
toklen -= 4; if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX) return -EINVAL; if (tmp > toklen) return -EINVAL; princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL); if (!princ->name_parts[loop]) return -ENOMEM; memcpy(princ->name_parts[loop], xdr, tmp); princ->name_parts[loop][tmp] = 0; tmp = (tmp + 3) & ~3; toklen -= tmp; xdr += tmp >> 2; } if (toklen < 4)
+ show +
49
50
51
52
53
54
55
56
57
58
return -EINVAL; tmp = ntohl(*xdr++); toklen -= 4; if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX) return -EINVAL; if (tmp > toklen) return -EINVAL; princ->realm = kmalloc(tmp + 1, GFP_KERNEL); if (!princ->realm) return -ENOMEM;

[linux_CVE-2017-7482_1497481944_rxrpc_krb5_decode_tagged_data.diff] rxrpc_krb5_decode_tagged_data_OLD.c #1
unsigned int *_toklen) { const __be32 *xdr = *_xdr; - unsigned int toklen = *_toklen, len; + unsigned int toklen = *_toklen, len, paddedlen; /* there must be at least one tag and one length word */ if (toklen <= 8)
.\cloneFuncs\totalClone\Type-1\CVE-2017-7482_before_1mo_1459774836_rxrpc_krb5_decode_tagged_data.c
1
2
3
static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, size_t max_data_size, const __be32 **_xdr,
+ show +
4
5
6
7
8
9
10
unsigned int *_toklen) { const __be32 *xdr = *_xdr; unsigned int toklen = *_toklen, len; /* there must be at least one tag and one length word */ if (toklen <= 8)
+ show +
11
12
13
14
15
16
17
18
19
20
return -EINVAL; _enter(",%zu,{%x,%x},%u", max_data_size, ntohl(xdr[0]), ntohl(xdr[1]), toklen); td->tag = ntohl(*xdr++); len = ntohl(*xdr++); toklen -= 8; if (len > max_data_size) return -EINVAL;

[linux_CVE-2017-7482_1497481944_rxrpc_krb5_decode_ticket.diff] rxrpc_krb5_decode_ticket_OLD.c #1
const __be32 **_xdr, unsigned int *_toklen) { const __be32 *xdr = *_xdr; - unsigned int toklen = *_toklen, len; + unsigned int toklen = *_toklen, len, paddedlen; /* there must be at least one length word */ if (toklen <= 4)
.\cloneFuncs\totalClone\Type-1\CVE-2017-7482_before_1mo_1459774836_rxrpc_krb5_decode_ticket.c
1
static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
+ show +
2
3
4
5
6
7
8
const __be32 **_xdr, unsigned int *_toklen) { const __be32 *xdr = *_xdr; unsigned int toklen = *_toklen, len; /* there must be at least one length word */ if (toklen <= 4)
+ show +
9
10
11
12
13
14
15
16
17
18
return -EINVAL; _enter(",{%x},%u", ntohl(xdr[0]), toklen); len = ntohl(*xdr++); toklen -= 4; if (len > AFSTOKEN_K5_TIX_MAX) return -EINVAL; *_tktlen = len;

[linux_CVE-2017-7482_1497481944_rxrpc_krb5_decode_ticket.diff] rxrpc_krb5_decode_ticket_OLD.c #2
toklen -= 4; if (len > AFSTOKEN_K5_TIX_MAX) return -EINVAL; + paddedlen = (len + 3) & ~3; + if (paddedlen > toklen) + return -EINVAL; *_tktlen = len; _debug("ticket len %u", len);
.\cloneFuncs\totalClone\Type-1\CVE-2017-7482_before_1mo_1459774836_rxrpc_krb5_decode_ticket.c
4
5
6
7
8
9
10
11
12
13
const __be32 *xdr = *_xdr; unsigned int toklen = *_toklen, len; /* there must be at least one length word */ if (toklen <= 4) return -EINVAL; _enter(",{%x},%u", ntohl(xdr[0]), toklen); len = ntohl(*xdr++);
+ show +
14
15
16
17
18
19
toklen -= 4; if (len > AFSTOKEN_K5_TIX_MAX) return -EINVAL; *_tktlen = len; _debug("ticket len %u", len);
+ show +
20
21
22
23
24
25
26
27
28
29
if (len > 0) { *_ticket = kmemdup(xdr, len, GFP_KERNEL); if (!*_ticket) return -ENOMEM; len = (len + 3) & ~3; toklen -= len; xdr += len >> 2; }

[linux_CVE-2017-7482_1497481944_rxrpc_preparse_xdr.diff] rxrpc_preparse_xdr_OLD.c #1
{ const __be32 *xdr = prep->data, *token; const char *cp; - unsigned int len, tmp, loop, ntoken, toklen, sec_ix; + unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix; size_t datalen = prep->datalen; int ret;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7482_before_1mo_1459774836_rxrpc_preparse_xdr.c
1
static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
+ show +
2
3
4
5
6
7
{ const __be32 *xdr = prep->data, *token; const char *cp; unsigned int len, tmp, loop, ntoken, toklen, sec_ix; size_t datalen = prep->datalen; int ret;
+ show +
8
9
10
11
12
13
14
15
16
17
_enter(",{%x,%x,%x,%x},%zu", ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), prep->datalen); if (datalen > AFSTOKEN_LENGTH_MAX) goto not_xdr; /* XDR is an array of __be32's */ if (datalen & 3)

[linux_CVE-2017-7482_1497481944_rxrpc_preparse_xdr.diff] rxrpc_preparse_xdr_OLD.c #2
if (len < 1 || len > AFSTOKEN_CELL_MAX) goto not_xdr; datalen -= 4; - tmp = (len + 3) & ~3; - if (tmp > datalen) + paddedlen = (len + 3) & ~3; + if (paddedlen > datalen) goto not_xdr; cp = (const char *) xdr; for (loop = 0; loop < len; loop++) if (!isprint(cp[loop])) goto not_xdr; - if (len < tmp) - for (; loop < tmp; loop++) - if (cp[loop]) - goto not_xdr; + for (; loop < paddedlen; loop++) + if (cp[loop]) + goto not_xdr; _debug("cellname: [%u/%u] '%*.*s'", - len, tmp, len, len, (const char *) xdr); - datalen -= tmp; - xdr += tmp >> 2; + len, paddedlen, len, len, (const char *) xdr); + datalen -= paddedlen; + xdr += paddedlen >> 2; /* get the token count */ if (datalen < 12)
.\cloneFuncs\totalClone\Type-1\CVE-2017-7482_before_1mo_1459774836_rxrpc_preparse_xdr.c
18
19
20
21
22
23
24
25
26
27
goto not_xdr; /* the flags should be 0 (the setpag bit must be handled by * userspace) */ if (ntohl(*xdr++) != 0) goto not_xdr; datalen -= 4; /* check the cell name */ len = ntohl(*xdr++);
+ show +
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
if (len < 1 || len > AFSTOKEN_CELL_MAX) goto not_xdr; datalen -= 4; tmp = (len + 3) & ~3; if (tmp > datalen) goto not_xdr; cp = (const char *) xdr; for (loop = 0; loop < len; loop++) if (!isprint(cp[loop])) goto not_xdr; if (len < tmp) for (; loop < tmp; loop++) if (cp[loop]) goto not_xdr; _debug("cellname: [%u/%u] '%*.*s'", len, tmp, len, len, (const char *) xdr); datalen -= tmp; xdr += tmp >> 2; /* get the token count */ if (datalen < 12)
+ show +
50
51
52
53
54
55
56
57
58
59
goto not_xdr; ntoken = ntohl(*xdr++); datalen -= 4; _debug("ntoken: %x", ntoken); if (ntoken < 1 || ntoken > AFSTOKEN_MAX) goto not_xdr; /* check each token wrapper */ token = xdr; loop = ntoken;

[linux_CVE-2017-7482_1497481944_rxrpc_preparse_xdr.diff] rxrpc_preparse_xdr_OLD.c #3
sec_ix = ntohl(*xdr); datalen -= 4; _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix); - if (toklen < 20 || toklen > datalen) + paddedlen = (toklen + 3) & ~3; + if (toklen < 20 || toklen > datalen || paddedlen > datalen) goto not_xdr; - datalen -= (toklen + 3) & ~3; - xdr += (toklen + 3) >> 2; + datalen -= paddedlen; + xdr += paddedlen >> 2; } while (--loop > 0);
.\cloneFuncs\totalClone\Type-1\CVE-2017-7482_before_1mo_1459774836_rxrpc_preparse_xdr.c
54
55
56
57
58
59
60
61
62
63
if (ntoken < 1 || ntoken > AFSTOKEN_MAX) goto not_xdr; /* check each token wrapper */ token = xdr; loop = ntoken; do { if (datalen < 8) goto not_xdr; toklen = ntohl(*xdr++);
+ show +
64
65
66
67
68
69
70
71
72
sec_ix = ntohl(*xdr); datalen -= 4; _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix); if (toklen < 20 || toklen > datalen) goto not_xdr; datalen -= (toklen + 3) & ~3; xdr += (toklen + 3) >> 2; } while (--loop > 0);
+ show +
73
74
75
76
77
78
79
80
81
82
_debug("remainder: %zu", datalen); if (datalen != 0) goto not_xdr; /* okay: we're going to assume it's valid XDR format * - we ignore the cellname, relying on the key to be correctly named */ do { xdr = token;

[qemu_CVE-2017-7493_1493988488_local_mkdir.diff] local_mkdir_OLD.c #1
int err = -1; int dirfd; + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(fs_ctx, name)) { + errno = EINVAL; + return -1; + } + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_mkdir.c
1
2
3
static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { err = mkdirat(dirfd, name, SM_LOCAL_DIR_MODE_BITS); if (err == -1) { goto out; } credp->fc_mode = credp->fc_mode | S_IFDIR;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_mknod.c
1
2
3
static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { err = mknodat(dirfd, name, SM_LOCAL_MODE_BITS | S_IFREG, 0); if (err == -1) { goto out; } if (fs_ctx->export_flags & V9FS_SM_MAPPED) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_symlink.c
1
2
3
static int local_symlink(FsContext *fs_ctx, const char *oldpath, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} /* Determine the security model */ if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { int fd; ssize_t oldpath_size, write_size; fd = openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, SM_LOCAL_MODE_BITS);

[qemu_CVE-2017-7493_1493988488_local_mknod.diff] local_mknod_OLD.c #1
int err = -1; int dirfd; + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(fs_ctx, name)) { + errno = EINVAL; + return -1; + } + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_mkdir.c
1
2
3
static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { err = mkdirat(dirfd, name, SM_LOCAL_DIR_MODE_BITS); if (err == -1) { goto out; } credp->fc_mode = credp->fc_mode | S_IFDIR;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_mknod.c
1
2
3
static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { err = mknodat(dirfd, name, SM_LOCAL_MODE_BITS | S_IFREG, 0); if (err == -1) { goto out; } if (fs_ctx->export_flags & V9FS_SM_MAPPED) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_symlink.c
1
2
3
static int local_symlink(FsContext *fs_ctx, const char *oldpath, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} /* Determine the security model */ if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { int fd; ssize_t oldpath_size, write_size; fd = openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, SM_LOCAL_MODE_BITS);

[qemu_CVE-2017-7493_1493988488_local_symlink.diff] local_symlink_OLD.c #1
int err = -1; int dirfd; + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(fs_ctx, name)) { + errno = EINVAL; + return -1; + } + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_mkdir.c
1
2
3
static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { err = mkdirat(dirfd, name, SM_LOCAL_DIR_MODE_BITS); if (err == -1) { goto out; } credp->fc_mode = credp->fc_mode | S_IFDIR;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_mknod.c
1
2
3
static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { err = mknodat(dirfd, name, SM_LOCAL_MODE_BITS | S_IFREG, 0); if (err == -1) { goto out; } if (fs_ctx->export_flags & V9FS_SM_MAPPED) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_symlink.c
1
2
3
static int local_symlink(FsContext *fs_ctx, const char *oldpath, V9fsPath *dir_path, const char *name, FsCred *credp) {
+ show +
4
5
6
7
8
9
int err = -1; int dirfd; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
16
17
18
19
} /* Determine the security model */ if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { int fd; ssize_t oldpath_size, write_size; fd = openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, SM_LOCAL_MODE_BITS);

[qemu_CVE-2017-7493_1493988488_local_open2.diff] local_open2_OLD.c #1
int err = -1; int dirfd; + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(fs_ctx, name)) { + errno = EINVAL; + return -1; + } + /* * Mark all the open to not follow symlinks */
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_open2.c
1
2
3
4
static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, int flags, FsCred *credp, V9fsFidOpenState *fs) { int fd = -1;
+ show +
5
6
7
8
9
10
int err = -1; int dirfd; /* * Mark all the open to not follow symlinks */
+ show +
11
12
13
14
15
16
17
18
19
20
flags |= O_NOFOLLOW; dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd == -1) { return -1; } /* Determine the security model */ if (fs_ctx->export_flags & V9FS_SM_MAPPED || fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) {

[qemu_CVE-2017-7493_1493988488_local_renameat.diff] local_renameat_OLD.c #1
int ret; int odirfd, ndirfd; + if (ctx->export_flags & V9FS_SM_MAPPED_FILE && + (local_is_mapped_file_metadata(ctx, old_name) || + local_is_mapped_file_metadata(ctx, new_name))) { + errno = EINVAL; + return -1; + } + odirfd = local_opendir_nofollow(ctx, olddir->data); if (odirfd == -1) { return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_renameat.c
1
2
3
4
static int local_renameat(FsContext *ctx, V9fsPath *olddir, const char *old_name, V9fsPath *newdir, const char *new_name) {
+ show +
5
6
7
8
9
10
int ret; int odirfd, ndirfd; odirfd = local_opendir_nofollow(ctx, olddir->data); if (odirfd == -1) { return -1;
+ show +
11
12
13
14
15
16
17
18
19
20
} ndirfd = local_opendir_nofollow(ctx, newdir->data); if (ndirfd == -1) { close_preserve_errno(odirfd); return -1; } ret = renameat(odirfd, old_name, ndirfd, new_name); if (ret < 0) {

[qemu_CVE-2017-7493_1493988488_local_unlinkat.diff] local_unlinkat_OLD.c #1
int ret; int dirfd; + if (ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(ctx, name)) { + errno = EINVAL; + return -1; + } + dirfd = local_opendir_nofollow(ctx, dir->data); if (dirfd == -1) { return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7493_before_1mo_1488818041_local_unlinkat.c
1
2
3
static int local_unlinkat(FsContext *ctx, V9fsPath *dir, const char *name, int flags) {
+ show +
4
5
6
7
8
9
int ret; int dirfd; dirfd = local_opendir_nofollow(ctx, dir->data); if (dirfd == -1) { return -1;
+ show +
10
11
12
13
14
15
} ret = local_unlinkat_common(ctx, dirfd, name, flags); close_preserve_errno(dirfd); return ret; }

[linux_CVE-2017-7518_1496841194_init_emulate_ctxt.diff] init_emulate_ctxt_OLD.c #1
kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l); ctxt->eflags = kvm_get_rflags(vcpu); + ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0; + ctxt->eip = kvm_rip_read(vcpu); ctxt->mode = (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL : (ctxt->eflags & X86_EFLAGS_VM) ? X86EMUL_MODE_VM86 :
.\cloneFuncs\totalClone\Type-1\CVE-2017-7518_before_1mo_1493734818_init_emulate_ctxt.c
1
2
3
4
5
static void init_emulate_ctxt(struct kvm_vcpu *vcpu) { struct x86_emulate_ctxt *ctxt = &vcpu->arch.emulate_ctxt; int cs_db, cs_l;
+ show +
6
7
8
9
10
11
kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l); ctxt->eflags = kvm_get_rflags(vcpu); ctxt->eip = kvm_rip_read(vcpu); ctxt->mode = (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL : (ctxt->eflags & X86_EFLAGS_VM) ? X86EMUL_MODE_VM86 :
+ show +
12
13
14
15
16
17
18
19
20
21
(cs_l && is_long_mode(vcpu)) ? X86EMUL_MODE_PROT64 : cs_db ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16; BUILD_BUG_ON(HF_GUEST_MASK != X86EMUL_GUEST_MASK); BUILD_BUG_ON(HF_SMM_MASK != X86EMUL_SMM_MASK); BUILD_BUG_ON(HF_SMM_INSIDE_NMI_MASK != X86EMUL_SMM_INSIDE_NMI_MASK); init_decode_cache(ctxt); vcpu->arch.emulate_regs_need_sync_from_vcpu = false; }
.\cloneFuncs\totalClone\Type-3\CVE-2017-7518_before_6mo_1480518190_init_emulate_ctxt.c
1
2
3
4
5
static void init_emulate_ctxt(struct kvm_vcpu *vcpu) { struct x86_emulate_ctxt *ctxt = &vcpu->arch.emulate_ctxt; int cs_db, cs_l;
+ show +
6
7
8
9
10
11
kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l); ctxt->eflags = kvm_get_rflags(vcpu); ctxt->eip = kvm_rip_read(vcpu); ctxt->mode = (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL : (ctxt->eflags & X86_EFLAGS_VM) ? X86EMUL_MODE_VM86 :
+ show +
12
13
14
15
16
17
18
19
20
21
(cs_l && is_long_mode(vcpu)) ? X86EMUL_MODE_PROT64 : cs_db ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16; BUILD_BUG_ON(HF_GUEST_MASK != X86EMUL_GUEST_MASK); BUILD_BUG_ON(HF_SMM_MASK != X86EMUL_SMM_MASK); BUILD_BUG_ON(HF_SMM_INSIDE_NMI_MASK != X86EMUL_SMM_INSIDE_NMI_MASK); ctxt->emul_flags = vcpu->arch.hflags; init_decode_cache(ctxt); vcpu->arch.emulate_regs_need_sync_from_vcpu = false;

[linux_CVE-2017-7558_1503487633_sctp_get_sctp_info.diff] sctp_get_sctp_info_OLD.c #1
info->sctpi_ictrlchunks = asoc->stats.ictrlchunks; prim = asoc->peer.primary_path; - memcpy(&info->sctpi_p_address, &prim->ipaddr, - sizeof(struct sockaddr_storage)); + memcpy(&info->sctpi_p_address, &prim->ipaddr, sizeof(prim->ipaddr)); info->sctpi_p_state = prim->state; info->sctpi_p_cwnd = prim->cwnd; info->sctpi_p_srtt = prim->srtt;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7558_before_1mo_1498794736_sctp_get_sctp_info.c
57
58
59
60
61
62
63
64
65
66
info->sctpi_ipackets = asoc->stats.ipackets; info->sctpi_rtxchunks = asoc->stats.rtxchunks; info->sctpi_outofseqtsns = asoc->stats.outofseqtsns; info->sctpi_idupchunks = asoc->stats.idupchunks; info->sctpi_gapcnt = asoc->stats.gapcnt; info->sctpi_ouodchunks = asoc->stats.ouodchunks; info->sctpi_iuodchunks = asoc->stats.iuodchunks; info->sctpi_oodchunks = asoc->stats.oodchunks; info->sctpi_iodchunks = asoc->stats.iodchunks; info->sctpi_octrlchunks = asoc->stats.octrlchunks;
+ show +
67
68
69
70
71
72
73
74
info->sctpi_ictrlchunks = asoc->stats.ictrlchunks; prim = asoc->peer.primary_path; memcpy(&info->sctpi_p_address, &prim->ipaddr, sizeof(struct sockaddr_storage)); info->sctpi_p_state = prim->state; info->sctpi_p_cwnd = prim->cwnd; info->sctpi_p_srtt = prim->srtt;
+ show +
75
76
77
78
79
80
81
82
83
84
info->sctpi_p_rto = jiffies_to_msecs(prim->rto); info->sctpi_p_hbinterval = prim->hbinterval; info->sctpi_p_pathmaxrxt = prim->pathmaxrxt; info->sctpi_p_sackdelay = jiffies_to_msecs(prim->sackdelay); info->sctpi_p_ssthresh = prim->ssthresh; info->sctpi_p_partial_bytes_acked = prim->partial_bytes_acked; info->sctpi_p_flight_size = prim->flight_size; info->sctpi_p_error = prim->error_count; return 0;
.\cloneFuncs\totalClone\Type-2\CVE-2017-7558_before_6mo_1487440366_sctp_get_sctp_info.c
57
58
59
60
61
62
63
64
65
66
info->sctpi_ipackets = asoc->stats.ipackets; info->sctpi_rtxchunks = asoc->stats.rtxchunks; info->sctpi_outofseqtsns = asoc->stats.outofseqtsns; info->sctpi_idupchunks = asoc->stats.idupchunks; info->sctpi_gapcnt = asoc->stats.gapcnt; info->sctpi_ouodchunks = asoc->stats.ouodchunks; info->sctpi_iuodchunks = asoc->stats.iuodchunks; info->sctpi_oodchunks = asoc->stats.oodchunks; info->sctpi_iodchunks = asoc->stats.iodchunks; info->sctpi_octrlchunks = asoc->stats.octrlchunks;
+ show +
67
68
69
70
71
72
73
74
info->sctpi_ictrlchunks = asoc->stats.ictrlchunks; prim = asoc->peer.primary_path; memcpy(&info->sctpi_p_address, &prim->ipaddr, sizeof(struct sockaddr_storage)); info->sctpi_p_state = prim->state; info->sctpi_p_cwnd = prim->cwnd; info->sctpi_p_srtt = prim->srtt;
+ show +
75
76
77
78
79
80
81
82
83
84
info->sctpi_p_rto = jiffies_to_msecs(prim->rto); info->sctpi_p_hbinterval = prim->hbinterval; info->sctpi_p_pathmaxrxt = prim->pathmaxrxt; info->sctpi_p_sackdelay = jiffies_to_msecs(prim->sackdelay); info->sctpi_p_ssthresh = prim->ssthresh; info->sctpi_p_partial_bytes_acked = prim->partial_bytes_acked; info->sctpi_p_flight_size = prim->flight_size; info->sctpi_p_error = prim->error_count; return 0;

[ffmpeg_CVE-2017-7862_1486478949_decode_frame.diff] decode_frame_OLD.c #1
avctx->pix_fmt = AV_PIX_FMT_PAL8; - if (s->width != avctx->width && s->height != avctx->height) { + if (s->width != avctx->width || s->height != avctx->height) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret;
.\cloneFuncs\totalClone\Type-1\CVE-2017-7862_before_1mo_1382864546_decode_frame.c
32
33
34
35
36
37
38
39
40
41
bytestream2_skip(&s->g, 2); etype = bytestream2_get_le16(&s->g); esize = bytestream2_get_le16(&s->g); if (bytestream2_get_bytes_left(&s->g) < esize) return AVERROR_INVALIDDATA; } else { etype = -1; esize = 0; }
+ show +
42
43
44
45
46
47
avctx->pix_fmt = AV_PIX_FMT_PAL8; if (s->width != avctx->width && s->height != avctx->height) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret;
+ show +
48
49
50
51
52
53
54
55
56
57
} if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } memset(frame->data[0], 0, s->height * frame->linesize[0]); frame->pict_type = AV_PICTURE_TYPE_I; frame->palette_has_changed = 1;

[linux_CVE-2017-8824_1520366221_dccp_sendmsg.diff] dccp_sendmsg_OLD.c #1
if (skb == NULL) goto out_release; + if (sk->sk_state == DCCP_CLOSED) { + rc = -ENOTCONN; + goto out_discard; + } + skb_reserve(skb, sk->sk_prot->max_header); rc = memcpy_from_msg(skb_put(skb, len), msg, len); if (rc != 0)
.\cloneFuncs\totalClone\Type-1\CVE-2017-8824_before_1mo_1517437870_dccp_sendmsg.c
27
28
29
30
31
32
33
34
35
36
*/ /* Wait for a connection to finish. */ if ((1 << sk->sk_state) & ~(DCCPF_OPEN | DCCPF_PARTOPEN)) if ((rc = sk_stream_wait_connect(sk, &timeo)) != 0) goto out_release; size = sk->sk_prot->max_header + len; release_sock(sk); skb = sock_alloc_send_skb(sk, size, noblock, &rc); lock_sock(sk);
+ show +
37
38
39
40
41
42
if (skb == NULL) goto out_release; skb_reserve(skb, sk->sk_prot->max_header); rc = memcpy_from_msg(skb_put(skb, len), msg, len); if (rc != 0)
+ show +
43
44
45
46
47
48
49
50
51
52
goto out_discard; rc = dccp_msghdr_parse(msg, skb); if (rc != 0) goto out_discard; dccp_qpolicy_push(sk, skb); /* * The xmit_timer is set if the TX CCID is rate-based and will expire * when congestion control permits to release further packets into the
.\cloneFuncs\totalClone\Type-3\CVE-2017-8824_before_6mo_1502892195_dccp_sendmsg.c
25
26
27
28
29
30
31
32
33
34
*/ /* Wait for a connection to finish. */ if ((1 << sk->sk_state) & ~(DCCPF_OPEN | DCCPF_PARTOPEN)) if ((rc = sk_stream_wait_connect(sk, &timeo)) != 0) goto out_release; size = sk->sk_prot->max_header + len; release_sock(sk); skb = sock_alloc_send_skb(sk, size, noblock, &rc); lock_sock(sk);
+ show +
35
36
37
38
39
40
if (skb == NULL) goto out_release; skb_reserve(skb, sk->sk_prot->max_header); rc = memcpy_from_msg(skb_put(skb, len), msg, len); if (rc != 0)
+ show +
41
42
43
44
45
46
47
48
49
50
goto out_discard; rc = dccp_msghdr_parse(msg, skb); if (rc != 0) goto out_discard; dccp_qpolicy_push(sk, skb); /* * The xmit_timer is set if the TX CCID is rate-based and will expire * when congestion control permits to release further packets into the

[ffmpeg_CVE-2017-9608_1497452300_dnxhd_find_frame_end.diff] dnxhd_find_frame_end_OLD.c #1
dctx->w = (state >> 32) & 0xFFFF; } else if (dctx->cur_byte == 42) { int cid = (state >> 32) & 0xFFFFFFFF; + int remaining; if (cid <= 0) continue; - dctx->remaining = avpriv_dnxhd_get_frame_size(cid); - if (dctx->remaining <= 0) { - dctx->remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); - if (dctx->remaining <= 0) - return dctx->remaining; + remaining = avpriv_dnxhd_get_frame_size(cid); + if (remaining <= 0) { + remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); + if (remaining <= 0) + continue; } + dctx->remaining = remaining; if (buf_size - i + 47 >= dctx->remaining) { int remaining = dctx->remaining;
.\cloneFuncs\totalClone\Type-1\CVE-2017-9608_before_imd_1492941237_dnxhd_find_frame_end.c
22
23
24
25
26
27
28
29
30
31
if (pic_found && !dctx->remaining) { if (!buf_size) /* EOF considered as end of frame */ return 0; for (; i < buf_size; i++) { dctx->cur_byte++; state = (state << 8) | buf[i]; if (dctx->cur_byte == 24) { dctx->h = (state >> 32) & 0xFFFF; } else if (dctx->cur_byte == 26) {
+ show +
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
dctx->w = (state >> 32) & 0xFFFF; } else if (dctx->cur_byte == 42) { int cid = (state >> 32) & 0xFFFFFFFF; if (cid <= 0) continue; dctx->remaining = avpriv_dnxhd_get_frame_size(cid); if (dctx->remaining <= 0) { dctx->remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); if (dctx->remaining <= 0) return dctx->remaining; } if (buf_size - i + 47 >= dctx->remaining) { int remaining = dctx->remaining;
+ show +
47
48
49
50
51
52
53
54
55
56
pc->frame_start_found = 0; pc->state64 = -1; dctx->cur_byte = 0; dctx->remaining = 0; return remaining; } else { dctx->remaining -= buf_size; } }

[libtiff_CVE-2017-9935_1512593207_t2p_read_tiff_init.diff] t2p_read_tiff_init_OLD.c #1
uint16 pagen=0; uint16 paged=0; uint16 xuint16=0; + uint16 tiff_transferfunctioncount=0; + float* tiff_transferfunction[3]; directorycount=TIFFNumberOfDirectories(input); t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-9935_before_1mo_1509303041_t2p_read_tiff_init.c
1
2
3
4
void t2p_read_tiff_init(T2P* t2p, TIFF* input){ tdir_t directorycount=0; tdir_t i=0;
+ show +
5
6
7
8
9
10
uint16 pagen=0; uint16 paged=0; uint16 xuint16=0; directorycount=TIFFNumberOfDirectories(input); t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+ show +
11
12
13
14
15
16
17
18
19
20
if(t2p->tiff_pages==NULL){ TIFFError( TIFF2PDF_MODULE, "Can't allocate " TIFF_SIZE_FORMAT " bytes of memory for tiff_pages array, %s", (TIFF_SIZE_T) directorycount * sizeof(T2P_PAGE), TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; return; } _TIFFmemset( t2p->tiff_pages, 0x00, directorycount * sizeof(T2P_PAGE));

[libtiff_CVE-2017-9935_1512593207_t2p_read_tiff_init.diff] t2p_read_tiff_init_OLD.c #2
} #endif if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { - if((t2p->tiff_transferfunction[1] != (float*) NULL) && - (t2p->tiff_transferfunction[2] != (float*) NULL) && - (t2p->tiff_transferfunction[1] != - t2p->tiff_transferfunction[0])) { - t2p->tiff_transferfunctioncount = 3; - t2p->tiff_pages[i].page_extra += 4; - t2p->pdf_xrefcount += 4; - } else { - t2p->tiff_transferfunctioncount = 1; - t2p->tiff_pages[i].page_extra += 2; - t2p->pdf_xrefcount += 2; - } - if(t2p->pdf_minorversion < 2) - t2p->pdf_minorversion = 2; + &(tiff_transferfunction[0]), + &(tiff_transferfunction[1]), + &(tiff_transferfunction[2]))) { + + if((tiff_transferfunction[1] != (float*) NULL) && + (tiff_transferfunction[2] != (float*) NULL) + ) { + tiff_transferfunctioncount=3; + } else { + tiff_transferfunctioncount=1; + } } else { - t2p->tiff_transferfunctioncount=0; + tiff_transferfunctioncount=0; } + + if (i > 0){ + if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ + TIFFError( + TIFF2PDF_MODULE, + "Different transfer function on page %d", + i); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + } + + t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; + t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; + t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; + t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; + if(tiff_transferfunctioncount == 3){ + t2p->tiff_pages[i].page_extra += 4; + t2p->pdf_xrefcount += 4; + if(t2p->pdf_minorversion < 2) + t2p->pdf_minorversion = 2; + } else if (tiff_transferfunctioncount == 1){ + t2p->tiff_pages[i].page_extra += 2; + t2p->pdf_xrefcount += 2; + if(t2p->pdf_minorversion < 2) + t2p->pdf_minorversion = 2; + } + if( TIFFGetField( input, TIFFTAG_ICCPROFILE,
.\cloneFuncs\totalClone\Type-1\CVE-2017-9935_before_1mo_1509303041_t2p_read_tiff_init.c
95
96
97
98
99
100
101
102
103
104
} #ifdef ZIP_SUPPORT if (TIFFGetField(input, TIFFTAG_COMPRESSION, &xuint16)) { if( (xuint16== COMPRESSION_DEFLATE || xuint16== COMPRESSION_ADOBE_DEFLATE) && ((t2p->tiff_pages[i].page_tilecount != 0) || TIFFNumberOfStrips(input)==1) && (t2p->pdf_nopassthrough==0) ){ if(t2p->pdf_minorversion<2){t2p->pdf_minorversion=2;} }
+ show +
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
} #endif if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, &(t2p->tiff_transferfunction[0]), &(t2p->tiff_transferfunction[1]), &(t2p->tiff_transferfunction[2]))) { if((t2p->tiff_transferfunction[1] != (float*) NULL) && (t2p->tiff_transferfunction[2] != (float*) NULL) && (t2p->tiff_transferfunction[1] != t2p->tiff_transferfunction[0])) { t2p->tiff_transferfunctioncount = 3; t2p->tiff_pages[i].page_extra += 4; t2p->pdf_xrefcount += 4; } else { t2p->tiff_transferfunctioncount = 1; t2p->tiff_pages[i].page_extra += 2; t2p->pdf_xrefcount += 2; } if(t2p->pdf_minorversion < 2) t2p->pdf_minorversion = 2; } else { t2p->tiff_transferfunctioncount=0; } if( TIFFGetField( input, TIFFTAG_ICCPROFILE,
+ show +
131
132
133
134
135
136
137
138
139
140
&(t2p->tiff_iccprofilelength), &(t2p->tiff_iccprofile)) != 0){ t2p->tiff_pages[i].page_extra++; t2p->pdf_xrefcount++; if(t2p->pdf_minorversion<3){t2p->pdf_minorversion=3;} } t2p->tiff_tiles[i].tiles_tilecount= t2p->tiff_pages[i].page_tilecount; if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) && (xuint16 == PLANARCONFIG_SEPARATE ) ){

[openssl_CVE-2018-0732_1528738734_generate_key.diff] generate_key_OLD.c #1
int ok = 0; int generate_new_key = 0; unsigned l; - BN_CTX *ctx; + BN_CTX *ctx = NULL; BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); + return 0; + } + ctx = BN_CTX_new(); if (ctx == NULL) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2018-0732_before_imd_1508249049_generate_key.c
1
2
static int generate_key(DH *dh) {
+ show +
3
4
5
6
7
8
9
10
11
12
int ok = 0; int generate_new_key = 0; unsigned l; BN_CTX *ctx; BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; ctx = BN_CTX_new(); if (ctx == NULL) goto err;
+ show +
13
14
15
16
17
18
19
20
21
22
if (dh->priv_key == NULL) { priv_key = BN_secure_new(); if (priv_key == NULL) goto err; generate_new_key = 1; } else priv_key = dh->priv_key; if (dh->pub_key == NULL) {
.\cloneFuncs\totalClone\Type-2\CVE-2018-0732_before_1mo_1507547158_generate_key.c
1
2
static int generate_key(DH *dh) {
+ show +
3
4
5
6
7
8
9
10
11
12
int ok = 0; int generate_new_key = 0; unsigned l; BN_CTX *ctx; BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; ctx = BN_CTX_new(); if (ctx == NULL) goto err;
+ show +
13
14
15
16
17
18
19
20
21
22
if (dh->priv_key == NULL) { priv_key = BN_secure_new(); if (priv_key == NULL) goto err; generate_new_key = 1; } else priv_key = dh->priv_key; if (dh->pub_key == NULL) {

[openssl_CVE-2018-0735_1540515298_ec_scalar_mul_ladder.diff] ec_scalar_mul_ladder_OLD.c #1
*/ cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); - if ((bn_wexpand(k, group_top + 1) == NULL) - || (bn_wexpand(lambda, group_top + 1) == NULL)) { + if ((bn_wexpand(k, group_top + 2) == NULL) + || (bn_wexpand(lambda, group_top + 2) == NULL)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; }
.\cloneFuncs\totalClone\Type-1\CVE-2018-0735_before_imd_1531035579_ec_scalar_mul_ladder.c
58
59
60
61
62
63
64
65
66
67
if (!BN_mul(cardinality, group->order, group->cofactor, ctx)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } /* * Group cardinalities are often on a word boundary. * So when we pad the scalar, some timing diff might * pop if it needs to be expanded due to carries. * So expand ahead of time.
+ show +
68
69
70
71
72
73
74
75
*/ cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); if ((bn_wexpand(k, group_top + 1) == NULL) || (bn_wexpand(lambda, group_top + 1) == NULL)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; }
+ show +
76
77
78
79
80
81
82
83
84
85
if (!BN_copy(k, scalar)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } BN_set_flags(k, BN_FLG_CONSTTIME); if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { /*-
.\cloneFuncs\totalClone\Type-3\CVE-2018-0735_before_1mo_1531000249_ec_scalar_mul_ladder.c
54
55
56
57
58
59
60
61
62
63
if (!BN_mul(cardinality, group->order, group->cofactor, ctx)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } /* * Group cardinalities are often on a word boundary. * So when we pad the scalar, some timing diff might * pop if it needs to be expanded due to carries. * So expand ahead of time.
+ show +
64
65
66
67
68
69
70
71
*/ cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); if ((bn_wexpand(k, group_top + 1) == NULL) || (bn_wexpand(lambda, group_top + 1) == NULL)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; }
+ show +
72
73
74
75
76
77
78
79
80
81
if (!BN_copy(k, scalar)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } BN_set_flags(k, BN_FLG_CONSTTIME); if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { /*-

[openssl_CVE-2018-0735_1540515298_ec_scalar_mul_ladder.diff] ec_scalar_mul_ladder_OLD.c #2
* k := scalar + 2*cardinality */ kbit = BN_is_bit_set(lambda, cardinality_bits); - BN_consttime_swap(kbit, k, lambda, group_top + 1); + BN_consttime_swap(kbit, k, lambda, group_top + 2); group_top = bn_get_top(group->field); if ((bn_wexpand(s->X, group_top) == NULL)
.\cloneFuncs\totalClone\Type-1\CVE-2018-0735_before_imd_1531035579_ec_scalar_mul_ladder.c
96
97
98
99
100
101
102
103
104
105
ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } BN_set_flags(lambda, BN_FLG_CONSTTIME); if (!BN_add(k, lambda, cardinality)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } /* * lambda := scalar + cardinality
+ show +
106
107
108
109
110
111
112
* k := scalar + 2*cardinality */ kbit = BN_is_bit_set(lambda, cardinality_bits); BN_consttime_swap(kbit, k, lambda, group_top + 1); group_top = bn_get_top(group->field); if ((bn_wexpand(s->X, group_top) == NULL)
+ show +
113
114
115
116
117
118
119
120
121
122
|| (bn_wexpand(s->Y, group_top) == NULL) || (bn_wexpand(s->Z, group_top) == NULL) || (bn_wexpand(r->X, group_top) == NULL) || (bn_wexpand(r->Y, group_top) == NULL) || (bn_wexpand(r->Z, group_top) == NULL) || (bn_wexpand(p->X, group_top) == NULL) || (bn_wexpand(p->Y, group_top) == NULL) || (bn_wexpand(p->Z, group_top) == NULL)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2018-0735_before_1mo_1531000249_ec_scalar_mul_ladder.c
92
93
94
95
96
97
98
99
100
101
ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } BN_set_flags(lambda, BN_FLG_CONSTTIME); if (!BN_add(k, lambda, cardinality)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } /* * lambda := scalar + cardinality
+ show +
102
103
104
105
106
107
108
* k := scalar + 2*cardinality */ kbit = BN_is_bit_set(lambda, cardinality_bits); BN_consttime_swap(kbit, k, lambda, group_top + 1); group_top = bn_get_top(group->field); if ((bn_wexpand(s->X, group_top) == NULL)
+ show +
109
110
111
112
113
114
115
116
117
118
|| (bn_wexpand(s->Y, group_top) == NULL) || (bn_wexpand(s->Z, group_top) == NULL) || (bn_wexpand(r->X, group_top) == NULL) || (bn_wexpand(r->Y, group_top) == NULL) || (bn_wexpand(r->Z, group_top) == NULL) || (bn_wexpand(p->X, group_top) == NULL) || (bn_wexpand(p->Y, group_top) == NULL) || (bn_wexpand(p->Z, group_top) == NULL)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err;

[openssl_CVE-2018-0739_1521711593_asn1_template_ex_d2i.diff] asn1_template_ex_d2i_OLD.c #1
static int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx) + ASN1_TLC *ctx, int depth) { int flags, aclass; int ret;
.\cloneFuncs\totalClone\Type-1\CVE-2018-0739_before_1mo_1476442303_asn1_template_ex_d2i.c
+ show +
1
2
3
4
5
6
7
static int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) { int flags, aclass; int ret;
+ show +
8
9
10
11
12
13
14
15
16
17
long len; const unsigned char *p, *q; char exp_eoc; if (!val) return 0; flags = tt->flags; aclass = flags & ASN1_TFLG_TAG_CLASS; p = *in;

[openssl_CVE-2018-0739_1521711593_asn1_template_ex_d2i.diff] asn1_template_ex_d2i_OLD.c #2
return 0; } /* We've found the field so it can't be OPTIONAL now */ - ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); + ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); return 0;
.\cloneFuncs\totalClone\Type-1\CVE-2018-0739_before_1mo_1476442303_asn1_template_ex_d2i.c
26
27
28
29
30
31
32
33
34
35
&p, inlen, tt->tag, aclass, opt, ctx); q = p; if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); return 0; } else if (ret == -1) return -1; if (!cst) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
+ show +
36
37
38
39
40
41
42
return 0; } /* We've found the field so it can't be OPTIONAL now */ ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); return 0;
+ show +
43
44
45
46
47
48
49
50
51
52
} /* We read the field in OK so update length */ len -= p - q; if (exp_eoc) { /* If NDEF we must have an EOC here */ if (!asn1_check_eoc(&p, len)) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_MISSING_EOC); goto err; } } else {

[openssl_CVE-2018-0739_1521711593_asn1_template_noexp_d2i.diff] asn1_template_noexp_d2i_OLD.c #1
static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx) + ASN1_TLC *ctx, int depth) { int flags, aclass; int ret;
.\cloneFuncs\totalClone\Type-1\CVE-2018-0739_before_imd_1506564784_asn1_template_noexp_d2i.c
+ show +
1
2
3
4
5
6
7
static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) { int flags, aclass; int ret;
+ show +
8
9
10
11
12
13
14
15
16
17
ASN1_VALUE *tval; const unsigned char *p, *q; if (!val) return 0; flags = tt->flags; aclass = flags & ASN1_TFLG_TAG_CLASS; p = *in; q = p;
.\cloneFuncs\totalClone\Type-2\CVE-2018-0739_before_1mo_1476442303_asn1_template_noexp_d2i.c
+ show +
1
2
3
4
5
6
7
static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) { int flags, aclass; int ret;
+ show +
8
9
10
11
12
13
14
15
16
17
ASN1_VALUE *tval; const unsigned char *p, *q; if (!val) return 0; flags = tt->flags; aclass = flags & ASN1_TFLG_TAG_CLASS; p = *in; q = p;

[openssl_CVE-2018-0739_1521711593_asn1_template_noexp_d2i.diff] asn1_template_noexp_d2i_OLD.c #2
} skfield = NULL; if (!asn1_item_embed_d2i(&skfield, &p, len, - ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { + ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx, + depth)) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); /* |skfield| may be partially allocated despite failure. */
.\cloneFuncs\totalClone\Type-1\CVE-2018-0739_before_imd_1506564784_asn1_template_noexp_d2i.c
73
74
75
76
77
78
79
80
81
82
/* See if EOC found */ if (asn1_check_eoc(&p, len)) { if (!sk_eoc) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_UNEXPECTED_EOC); goto err; } len -= p - q; sk_eoc = 0; break;
+ show +
83
84
85
86
87
88
89
} skfield = NULL; if (!asn1_item_embed_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); /* |skfield| may be partially allocated despite failure. */
+ show +
90
91
92
93
94
95
96
97
98
99
ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item)); goto err; } len -= p - q; if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE); ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item)); goto err; } }
.\cloneFuncs\totalClone\Type-2\CVE-2018-0739_before_1mo_1476442303_asn1_template_noexp_d2i.c
73
74
75
76
77
78
79
80
81
82
/* See if EOC found */ if (asn1_check_eoc(&p, len)) { if (!sk_eoc) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_UNEXPECTED_EOC); goto err; } len -= p - q; sk_eoc = 0; break;
+ show +
83
84
85
86
87
88
89
} skfield = NULL; if (!asn1_item_embed_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); /* |skfield| may be partially allocated despite failure. */
+ show +
90
91
92
93
94
95
96
97
98
99
ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item)); goto err; } len -= p - q; if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE); ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item)); goto err; } }

[openssl_CVE-2018-0739_1521711593_asn1_template_noexp_d2i.diff] asn1_template_noexp_d2i_OLD.c #3
/* IMPLICIT tagging */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, - ctx); + ctx, depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2018-0739_before_imd_1506564784_asn1_template_noexp_d2i.c
95
96
97
98
99
100
101
102
103
104
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE); ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item)); goto err; } } if (sk_eoc) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC); goto err; } } else if (flags & ASN1_TFLG_IMPTAG) {
+ show +
105
106
107
108
109
110
111
/* IMPLICIT tagging */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
+ show +
112
113
114
115
116
117
118
119
120
121
} else if (ret == -1) return -1; } else { /* Nothing special */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } else if (ret == -1)
.\cloneFuncs\totalClone\Type-2\CVE-2018-0739_before_1mo_1476442303_asn1_template_noexp_d2i.c
95
96
97
98
99
100
101
102
103
104
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE); ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item)); goto err; } } if (sk_eoc) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC); goto err; } } else if (flags & ASN1_TFLG_IMPTAG) {
+ show +
105
106
107
108
109
110
111
/* IMPLICIT tagging */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
+ show +
112
113
114
115
116
117
118
119
120
121
} else if (ret == -1) return -1; } else { /* Nothing special */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } else if (ret == -1)

[openssl_CVE-2018-0739_1521711593_asn1_template_noexp_d2i.diff] asn1_template_noexp_d2i_OLD.c #4
} else { /* Nothing special */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, 0, opt, ctx, depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2018-0739_before_imd_1506564784_asn1_template_noexp_d2i.c
104
105
106
107
108
109
110
111
112
113
} else if (flags & ASN1_TFLG_IMPTAG) { /* IMPLICIT tagging */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } else if (ret == -1) return -1;
+ show +
114
115
116
117
118
119
120
} else { /* Nothing special */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
+ show +
121
122
123
124
125
126
127
128
129
130
} else if (ret == -1) return -1; } *in = p; return 1; err: return 0; }
.\cloneFuncs\totalClone\Type-2\CVE-2018-0739_before_1mo_1476442303_asn1_template_noexp_d2i.c
104
105
106
107
108
109
110
111
112
113
} else if (flags & ASN1_TFLG_IMPTAG) { /* IMPLICIT tagging */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } else if (ret == -1) return -1;
+ show +
114
115
116
117
118
119
120
} else { /* Nothing special */ ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err;
+ show +
121
122
123
124
125
126
127
128
129
130
} else if (ret == -1) return -1; } *in = p; return 1; err: return 0; }

[linux_CVE-2018-1000004_1520283969_snd_seq_cell_alloc.diff] snd_seq_cell_alloc_OLD.c #1
static int snd_seq_cell_alloc(struct snd_seq_pool *pool, struct snd_seq_event_cell **cellp, - int nonblock, struct file *file) + int nonblock, struct file *file, + struct mutex *mutexp) { struct snd_seq_event_cell *cell; unsigned long flags;
.\cloneFuncs\totalClone\Type-1\CVE-2018-1000004_before_1mo_1497953173_snd_seq_cell_alloc.c
+ show +
1
2
3
4
5
6
static int snd_seq_cell_alloc(struct snd_seq_pool *pool, struct snd_seq_event_cell **cellp, int nonblock, struct file *file) { struct snd_seq_event_cell *cell; unsigned long flags;
+ show +
7
8
9
10
11
12
13
14
15
16
int err = -EAGAIN; wait_queue_entry_t wait; if (pool == NULL) return -EINVAL; *cellp = NULL; init_waitqueue_entry(&wait, current); spin_lock_irqsave(&pool->lock, flags);
.\cloneFuncs\totalClone\Type-2\CVE-2018-1000004_before_6mo_1497622524_snd_seq_cell_alloc.c
+ show +
1
2
3
4
5
6
static int snd_seq_cell_alloc(struct snd_seq_pool *pool, struct snd_seq_event_cell **cellp, int nonblock, struct file *file) { struct snd_seq_event_cell *cell; unsigned long flags;
+ show +
7
8
9
10
11
12
13
14
15
16
int err = -EAGAIN; wait_queue_t wait; if (pool == NULL) return -EINVAL; *cellp = NULL; init_waitqueue_entry(&wait, current); spin_lock_irqsave(&pool->lock, flags);

[linux_CVE-2018-1000004_1520283969_snd_seq_cell_alloc.diff] snd_seq_cell_alloc_OLD.c #2
set_current_state(TASK_INTERRUPTIBLE); add_wait_queue(&pool->output_sleep, &wait); spin_unlock_irq(&pool->lock); + if (mutexp) + mutex_unlock(mutexp); schedule(); + if (mutexp) + mutex_lock(mutexp); spin_lock_irq(&pool->lock); remove_wait_queue(&pool->output_sleep, &wait); /* interrupted? */
.\cloneFuncs\totalClone\Type-1\CVE-2018-1000004_before_1mo_1497953173_snd_seq_cell_alloc.c
14
15
16
17
18
19
20
21
22
23
init_waitqueue_entry(&wait, current); spin_lock_irqsave(&pool->lock, flags); if (pool->ptr == NULL) { /* not initialized */ pr_debug("ALSA: seq: pool is not initialized\n"); err = -EINVAL; goto __error; } while (pool->free == NULL && ! nonblock && ! pool->closing) {
+ show +
24
25
26
27
28
29
30
set_current_state(TASK_INTERRUPTIBLE); add_wait_queue(&pool->output_sleep, &wait); spin_unlock_irq(&pool->lock); schedule(); spin_lock_irq(&pool->lock); remove_wait_queue(&pool->output_sleep, &wait); /* interrupted? */
+ show +
31
32
33
34
35
36
37
38
39
40
if (signal_pending(current)) { err = -ERESTARTSYS; goto __error; } } if (pool->closing) { /* closing.. */ err = -ENOMEM; goto __error; }
.\cloneFuncs\totalClone\Type-2\CVE-2018-1000004_before_6mo_1497622524_snd_seq_cell_alloc.c
14
15
16
17
18
19
20
21
22
23
init_waitqueue_entry(&wait, current); spin_lock_irqsave(&pool->lock, flags); if (pool->ptr == NULL) { /* not initialized */ pr_debug("ALSA: seq: pool is not initialized\n"); err = -EINVAL; goto __error; } while (pool->free == NULL && ! nonblock && ! pool->closing) {
+ show +
24
25
26
27
28
29
30
set_current_state(TASK_INTERRUPTIBLE); add_wait_queue(&pool->output_sleep, &wait); spin_unlock_irq(&pool->lock); schedule(); spin_lock_irq(&pool->lock); remove_wait_queue(&pool->output_sleep, &wait); /* interrupted? */
+ show +
31
32
33
34
35
36
37
38
39
40
if (signal_pending(current)) { err = -ERESTARTSYS; goto __error; } } if (pool->closing) { /* closing.. */ err = -ENOMEM; goto __error; }

[linux_CVE-2018-1000200_1526079724___oom_reap_task_mm.diff] __oom_reap_task_mm_OLD.c #2
if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { const unsigned long start = vma->vm_start; const unsigned long end = vma->vm_end; + struct mmu_gather tlb; tlb_gather_mmu(&tlb, mm, start, end); mmu_notifier_invalidate_range_start(mm, start, end);
.\cloneFuncs\totalClone\Type-1\CVE-2018-1000200_before_1mo_1522970719___oom_reap_task_mm.c
67
68
69
70
71
72
73
74
75
76
/* * Only anonymous pages have a good chance to be dropped * without additional steps which we cannot afford as we * are OOM already. * * We do not even care about fs backed pages because all * which are reclaimable have already been reclaimed and * we do not want to block exit_mmap by keeping mm ref * count elevated without a good reason. */
+ show +
77
78
79
80
81
82
if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { const unsigned long start = vma->vm_start; const unsigned long end = vma->vm_end; tlb_gather_mmu(&tlb, mm, start, end); mmu_notifier_invalidate_range_start(mm, start, end);
+ show +
83
84
85
86
87
88
89
90
91
92
unmap_page_range(&tlb, vma, start, end, NULL); mmu_notifier_invalidate_range_end(mm, start, end); tlb_finish_mmu(&tlb, start, end); } } pr_info("oom_reaper: reaped process %d (%s), now anon-rss:%lukB, file-rss:%lukB, shmem-rss:%lukB\n", task_pid_nr(tsk), tsk->comm, K(get_mm_counter(mm, MM_ANONPAGES)), K(get_mm_counter(mm, MM_FILEPAGES)), K(get_mm_counter(mm, MM_SHMEMPAGES)));

[linux_CVE-2018-1000200_1526079724_oom_reap_task.diff] oom_reap_task_OLD.c #1
struct mm_struct *mm = tsk->signal->oom_mm; /* Retry the down_read_trylock(mmap_sem) a few times */ - while (attempts++ < MAX_OOM_REAP_RETRIES && !__oom_reap_task_mm(tsk, mm)) + while (attempts++ < MAX_OOM_REAP_RETRIES && !oom_reap_task_mm(tsk, mm)) schedule_timeout_idle(HZ/10); if (attempts <= MAX_OOM_REAP_RETRIES || test_bit(MMF_OOM_SKIP, &mm->flags)) goto done; - pr_info("oom_reaper: unable to reap pid:%d (%s)\n", task_pid_nr(tsk), tsk->comm); debug_show_all_locks();
.\cloneFuncs\totalClone\Type-1\CVE-2018-1000200_before_imd_1522970745_oom_reap_task.c
1
2
3
static void oom_reap_task(struct task_struct *tsk) { int attempts = 0;
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
16
17
struct mm_struct *mm = tsk->signal->oom_mm; /* Retry the down_read_trylock(mmap_sem) a few times */ while (attempts++ < MAX_OOM_REAP_RETRIES && !__oom_reap_task_mm(tsk, mm)) schedule_timeout_idle(HZ/10); if (attempts <= MAX_OOM_REAP_RETRIES || test_bit(MMF_OOM_SKIP, &mm->flags)) goto done; pr_info("oom_reaper: unable to reap pid:%d (%s)\n", task_pid_nr(tsk), tsk->comm); debug_show_all_locks();
+ show +
18
19
20
21
22
23
24
25
26
27
done: tsk->oom_reaper_list = NULL; /* * Hide this mm from OOM killer because it has been either reaped or * somebody can't call up_write(mmap_sem). */ set_bit(MMF_OOM_SKIP, &mm->flags);

[libtiff_CVE-2018-10779_1534343680_TIFFSetupStrips.diff] TIFFSetupStrips_OLD.c #1
if (td->td_planarconfig == PLANARCONFIG_SEPARATE) td->td_stripsperimage /= td->td_samplesperpixel; td->td_stripoffset = (uint64 *) - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), + "for \"StripOffsets\" array"); td->td_stripbytecount = (uint64 *) - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), + "for \"StripByteCounts\" array"); if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) return (0); /*
.\cloneFuncs\totalClone\Type-1\CVE-2018-10779_before_1mo_1480802264_TIFFSetupStrips.c
5
6
7
8
9
10
11
12
13
14
if (isTiled(tif)) td->td_stripsperimage = isUnspecified(tif, FIELD_TILEDIMENSIONS) ? td->td_samplesperpixel : TIFFNumberOfTiles(tif); else td->td_stripsperimage = isUnspecified(tif, FIELD_ROWSPERSTRIP) ? td->td_samplesperpixel : TIFFNumberOfStrips(tif); td->td_nstrips = td->td_stripsperimage;
+ show +
15
16
17
18
19
20
21
22
23
if (td->td_planarconfig == PLANARCONFIG_SEPARATE) td->td_stripsperimage /= td->td_samplesperpixel; td->td_stripoffset = (uint64 *) _TIFFmalloc(td->td_nstrips * sizeof (uint64)); td->td_stripbytecount = (uint64 *) _TIFFmalloc(td->td_nstrips * sizeof (uint64)); if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) return (0); /*
+ show +
24
25
26
27
28
29
30
31
32
* Place data at the end-of-file * (by setting offsets to zero). */ _TIFFmemset(td->td_stripoffset, 0, td->td_nstrips*sizeof (uint64)); _TIFFmemset(td->td_stripbytecount, 0, td->td_nstrips*sizeof (uint64)); TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS); return (1); }

[linux_CVE-2018-10840_1527089463_ext4_xattr_set_entry.diff] ext4_xattr_set_entry_OLD.c #1
/* No failures allowed past this point. */ - if (!s->not_found && here->e_value_offs) { + if (!s->not_found && here->e_value_size && here->e_value_offs) { /* Remove the old value. */ void *first_val = s->base + min_offs; size_t offs = le16_to_cpu(here->e_value_offs);
.\cloneFuncs\totalClone\Type-1\CVE-2018-10840_before_1mo_1522454456_ext4_xattr_set_entry.c
122
123
124
125
126
127
128
129
130
131
ext4_xattr_inode_free_quota(inode, new_ea_inode, i->value_len); } goto out; } ext4_xattr_inode_free_quota(inode, old_ea_inode, le32_to_cpu(here->e_value_size)); }
+ show +
132
133
134
135
136
137
/* No failures allowed past this point. */ if (!s->not_found && here->e_value_offs) { /* Remove the old value. */ void *first_val = s->base + min_offs; size_t offs = le16_to_cpu(here->e_value_offs);
+ show +
138
139
140
141
142
143
144
145
146
147
void *val = s->base + offs; memmove(first_val + old_size, first_val, val - first_val); memset(first_val, 0, old_size); min_offs += old_size; /* Adjust all value offsets. */ last = s->first; while (!IS_LAST_ENTRY(last)) { size_t o = le16_to_cpu(last->e_value_offs);

[linux_CVE-2018-10853_1528299489_handle_ud.diff] handle_ud_OLD.c #1
struct x86_exception e; if (force_emulation_prefix && - kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, - kvm_get_linear_rip(vcpu), sig, sizeof(sig), &e) == 0 && + kvm_read_guest_virt(vcpu, kvm_get_linear_rip(vcpu), + sig, sizeof(sig), &e) == 0 && memcmp(sig, "\xf\xbkvm", sizeof(sig)) == 0) { kvm_rip_write(vcpu, kvm_rip_read(vcpu) + sizeof(sig)); emul_type = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2018-10853_before_1mo_1523612315_handle_ud.c
1
2
3
4
5
int handle_ud(struct kvm_vcpu *vcpu) { int emul_type = EMULTYPE_TRAP_UD; enum emulation_result er; char sig[5]; /* ud2; .ascii "kvm" */
+ show +
6
7
8
9
10
11
12
13
struct x86_exception e; if (force_emulation_prefix && kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, kvm_get_linear_rip(vcpu), sig, sizeof(sig), &e) == 0 && memcmp(sig, "\xf\xbkvm", sizeof(sig)) == 0) { kvm_rip_write(vcpu, kvm_rip_read(vcpu) + sizeof(sig)); emul_type = 0;
+ show +
14
15
16
17
18
19
20
21
22
} er = emulate_instruction(vcpu, emul_type); if (er == EMULATE_USER_EXIT) return 0; if (er != EMULATE_DONE) kvm_queue_exception(vcpu, UD_VECTOR); return 1; }

[linux_CVE-2018-10879_1528865488___ext4_xattr_check_block.diff] __ext4_xattr_check_block_OLD.c #1
{ int error = -EFSCORRUPTED; - if (buffer_verified(bh)) - return 0; - if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) goto errout; + if (buffer_verified(bh)) + return 0; + error = -EFSBADCRC; if (!ext4_xattr_block_csum_verify(inode, bh)) goto errout;
.\cloneFuncs\totalClone\Type-1\CVE-2018-10879_before_1mo_1522454651___ext4_xattr_check_block.c
1
2
3
static inline int __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh, const char *function, unsigned int line)
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
{ int error = -EFSCORRUPTED; if (buffer_verified(bh)) return 0; if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) goto errout; error = -EFSBADCRC; if (!ext4_xattr_block_csum_verify(inode, bh)) goto errout;
+ show +
16
17
18
19
20
21
22
23
24
25
error = ext4_xattr_check_entries(BFIRST(bh), bh->b_data + bh->b_size, bh->b_data); errout: if (error) __ext4_error_inode(inode, function, line, 0, "corrupted xattr block %llu", (unsigned long long) bh->b_blocknr); else set_buffer_verified(bh); return error;

[linux_CVE-2018-10880_1529178048_ext4_xattr_make_inode_space.diff] ext4_xattr_make_inode_space_OLD.c #1
last = IFIRST(header); /* Find the entry best suited to be pushed into EA block */ for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { + /* never move system.data out of the inode */ + if ((last->e_name_len == 4) && + (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && + !memcmp(last->e_name, "data", 4)) + continue; total_size = EXT4_XATTR_LEN(last->e_name_len); if (!last->e_value_inum) total_size += EXT4_XATTR_SIZE(
.\cloneFuncs\totalClone\Type-1\CVE-2018-10880_before_1mo_1522454651_ext4_xattr_make_inode_space.c
9
10
11
12
13
14
15
16
17
18
struct ext4_xattr_entry *last; unsigned int entry_size; /* EA entry size */ unsigned int total_size; /* EA entry size + value size */ unsigned int min_total_size; int error; while (isize_diff > ifree) { entry = NULL; small_entry = NULL; min_total_size = ~0U;
+ show +
19
20
21
22
23
24
last = IFIRST(header); /* Find the entry best suited to be pushed into EA block */ for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { total_size = EXT4_XATTR_LEN(last->e_name_len); if (!last->e_value_inum) total_size += EXT4_XATTR_SIZE(
+ show +
25
26
27
28
29
30
31
32
33
34
le32_to_cpu(last->e_value_size)); if (total_size <= bfree && total_size < min_total_size) { if (total_size + ifree < isize_diff) { small_entry = last; } else { entry = last; min_total_size = total_size; } }

[linux_CVE-2018-10881_1529080096_ext4_destroy_inline_data_nolock.diff] ext4_destroy_inline_data_nolock_OLD.c #1
memset((void *)ext4_raw_inode(&is.iloc)->i_block, 0, EXT4_MIN_INLINE_DATA_SIZE); + memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE); if (ext4_has_feature_extents(inode->i_sb)) { if (S_ISDIR(inode->i_mode) ||
.\cloneFuncs\totalClone\Type-1\CVE-2018-10881_before_1mo_1518042322_ext4_destroy_inline_data_nolock.c
26
27
28
29
30
31
32
33
34
35
BUFFER_TRACE(is.iloc.bh, "get_write_access"); error = ext4_journal_get_write_access(handle, is.iloc.bh); if (error) goto out; error = ext4_xattr_ibody_inline_set(handle, inode, &i, &is); if (error) goto out;
+ show +
36
37
38
39
40
memset((void *)ext4_raw_inode(&is.iloc)->i_block, 0, EXT4_MIN_INLINE_DATA_SIZE); if (ext4_has_feature_extents(inode->i_sb)) { if (S_ISDIR(inode->i_mode) ||
+ show +
41
42
43
44
45
46
47
48
49
50
S_ISREG(inode->i_mode) || S_ISLNK(inode->i_mode)) { ext4_set_inode_flag(inode, EXT4_INODE_EXTENTS); ext4_ext_tree_init(handle, inode); } } ext4_clear_inode_flag(inode, EXT4_INODE_INLINE_DATA); get_bh(is.iloc.bh); error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);

[linux_CVE-2018-1093_1522122850_ext4_read_inode_bitmap.diff] ext4_read_inode_bitmap_OLD.c #1
ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) { struct ext4_group_desc *desc; + struct ext4_sb_info *sbi = EXT4_SB(sb); struct buffer_head *bh = NULL; ext4_fsblk_t bitmap_blk; int err;
.\cloneFuncs\totalClone\Type-1\CVE-2018-1093_before_imd_1519067807_ext4_read_inode_bitmap.c
1
static struct buffer_head *
+ show +
2
3
4
5
6
7
ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) { struct ext4_group_desc *desc; struct buffer_head *bh = NULL; ext4_fsblk_t bitmap_blk; int err;
+ show +
8
9
10
11
12
13
14
15
16
17
desc = ext4_get_group_desc(sb, block_group, NULL); if (!desc) return ERR_PTR(-EFSCORRUPTED); bitmap_blk = ext4_inode_bitmap(sb, desc); bh = sb_getblk(sb, bitmap_blk); if (unlikely(!bh)) { ext4_error(sb, "Cannot read inode bitmap - " "block_group = %u, inode_bitmap = %llu",
.\cloneFuncs\totalClone\Type-3\CVE-2018-1093_before_1mo_1515694669_ext4_read_inode_bitmap.c
1
static struct buffer_head *
+ show +
2
3
4
5
6
7
ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) { struct ext4_group_desc *desc; struct buffer_head *bh = NULL; ext4_fsblk_t bitmap_blk; int err;
+ show +
8
9
10
11
12
13
14
15
16
17
desc = ext4_get_group_desc(sb, block_group, NULL); if (!desc) return ERR_PTR(-EFSCORRUPTED); bitmap_blk = ext4_inode_bitmap(sb, desc); bh = sb_getblk(sb, bitmap_blk); if (unlikely(!bh)) { ext4_error(sb, "Cannot read inode bitmap - " "block_group = %u, inode_bitmap = %llu",

[linux_CVE-2018-1093_1522122850_ext4_read_inode_bitmap.diff] ext4_read_inode_bitmap_OLD.c #2
return ERR_PTR(-EFSCORRUPTED); bitmap_blk = ext4_inode_bitmap(sb, desc); + if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || + (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { + ext4_error(sb, "Invalid inode bitmap blk %llu in " + "block_group %u", bitmap_blk, block_group); + return ERR_PTR(-EFSCORRUPTED); + } bh = sb_getblk(sb, bitmap_blk); if (unlikely(!bh)) { ext4_error(sb, "Cannot read inode bitmap - "
.\cloneFuncs\totalClone\Type-1\CVE-2018-1093_before_imd_1519067807_ext4_read_inode_bitmap.c
1
2
3
4
5
6
7
8
9
10
static struct buffer_head * ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) { struct ext4_group_desc *desc; struct buffer_head *bh = NULL; ext4_fsblk_t bitmap_blk; int err; desc = ext4_get_group_desc(sb, block_group, NULL); if (!desc)
+ show +
11
12
13
14
15
16
return ERR_PTR(-EFSCORRUPTED); bitmap_blk = ext4_inode_bitmap(sb, desc); bh = sb_getblk(sb, bitmap_blk); if (unlikely(!bh)) { ext4_error(sb, "Cannot read inode bitmap - "
+ show +
17
18
19
20
21
22
23
24
25
26
"block_group = %u, inode_bitmap = %llu", block_group, bitmap_blk); return ERR_PTR(-EIO); } if (bitmap_uptodate(bh)) goto verify; lock_buffer(bh); if (bitmap_uptodate(bh)) { unlock_buffer(bh);
.\cloneFuncs\totalClone\Type-3\CVE-2018-1093_before_1mo_1515694669_ext4_read_inode_bitmap.c
1
2
3
4
5
6
7
8
9
10
static struct buffer_head * ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) { struct ext4_group_desc *desc; struct buffer_head *bh = NULL; ext4_fsblk_t bitmap_blk; int err; desc = ext4_get_group_desc(sb, block_group, NULL); if (!desc)
+ show +
11
12
13
14
15
16
return ERR_PTR(-EFSCORRUPTED); bitmap_blk = ext4_inode_bitmap(sb, desc); bh = sb_getblk(sb, bitmap_blk); if (unlikely(!bh)) { ext4_error(sb, "Cannot read inode bitmap - "
+ show +
17
18
19
20
21
22
23
24
25
26
"block_group = %u, inode_bitmap = %llu", block_group, bitmap_blk); return ERR_PTR(-EIO); } if (bitmap_uptodate(bh)) goto verify; lock_buffer(bh); if (bitmap_uptodate(bh)) { unlock_buffer(bh);

[linux_CVE-2018-1095_1522348302_ext4_xattr_check_entries.diff] ext4_xattr_check_entries_OLD.c #1
/* Check the values */ while (!IS_LAST_ENTRY(entry)) { - if (entry->e_value_size != 0 && - entry->e_value_inum == 0) { + u32 size = le32_to_cpu(entry->e_value_size); + + if (size > INT_MAX) + return -EFSCORRUPTED; + + if (size != 0 && entry->e_value_inum == 0) { u16 offs = le16_to_cpu(entry->e_value_offs); - u32 size = le32_to_cpu(entry->e_value_size); void *value; /*
.\cloneFuncs\totalClone\Type-1\CVE-2018-1095_before_1mo_1509545277_ext4_xattr_check_entries.c
5
6
7
8
9
10
11
12
13
14
struct ext4_xattr_entry *e = entry; /* Find the end of the names list */ while (!IS_LAST_ENTRY(e)) { struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e); if ((void *)next >= end) return -EFSCORRUPTED; e = next; }
+ show +
15
16
17
18
19
20
21
22
23
/* Check the values */ while (!IS_LAST_ENTRY(entry)) { if (entry->e_value_size != 0 && entry->e_value_inum == 0) { u16 offs = le16_to_cpu(entry->e_value_offs); u32 size = le32_to_cpu(entry->e_value_size); void *value; /*
+ show +
24
25
26
27
28
29
30
31
32
33
* The value cannot overlap the names, and the value * with padding cannot extend beyond 'end'. Check both * the padded and unpadded sizes, since the size may * overflow to 0 when adding padding. */ if (offs > end - value_start) return -EFSCORRUPTED; value = value_start + offs; if (value < (void *)e + sizeof(u32) || size > end - value ||

[linux_CVE-2018-1120_1526019104_check_vma_flags.diff] check_vma_flags_OLD.c #1
if (vm_flags & (VM_IO | VM_PFNMAP)) return -EFAULT; + if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma)) + return -EFAULT; + if (write) { if (!(vm_flags & VM_WRITE)) { if (!(gup_flags & FOLL_FORCE))
.\cloneFuncs\totalClone\Type-1\CVE-2018-1120_before_1mo_1522970658_check_vma_flags.c
1
2
3
4
5
6
static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags) { vm_flags_t vm_flags = vma->vm_flags; int write = (gup_flags & FOLL_WRITE); int foreign = (gup_flags & FOLL_REMOTE);
+ show +
7
8
9
10
11
12
if (vm_flags & (VM_IO | VM_PFNMAP)) return -EFAULT; if (write) { if (!(vm_flags & VM_WRITE)) { if (!(gup_flags & FOLL_FORCE))
+ show +
13
14
15
16
17
18
19
20
21
22
return -EFAULT; /* * We used to let the write,force case do COW in a * VM_MAYWRITE VM_SHARED !VM_WRITE vma, so ptrace could * set a breakpoint in a read-only mapping of an * executable, without corrupting the file (yet only * when that file had been opened for writing!). * Anon pages in shared mappings are surprising: now * just reject it. */

[xen_CVE-2019-11135_1560964563_init_speculation_mitigations.diff] init_speculation_mitigations_OLD.c #1
{ enum ind_thunk thunk = THUNK_DEFAULT; bool use_spec_ctrl = false, ibrs = false, hw_smt_enabled; + bool cpu_has_bug_taa; uint64_t caps = 0; if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) )
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_after_1mo_1554385593_init_speculation_mitigations.c
1
void __init init_speculation_mitigations(void)
+ show +
2
3
4
5
6
7
{ enum ind_thunk thunk = THUNK_DEFAULT; bool use_spec_ctrl = false, ibrs = false, hw_smt_enabled; uint64_t caps = 0; if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) )
+ show +
8
9
10
11
12
13
14
15
16
17
rdmsrl(MSR_ARCH_CAPABILITIES, caps); hw_smt_enabled = check_smt_enabled(); /* * Has the user specified any custom BTI mitigations? If so, follow their * instructions exactly and disable all heuristics. */ if ( opt_thunk != THUNK_DEFAULT || opt_ibrs != -1 ) {
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_init_speculation_mitigations.c
1
void __init init_speculation_mitigations(void)
+ show +
2
3
4
5
6
7
{ enum ind_thunk thunk = THUNK_DEFAULT; bool use_spec_ctrl = false, ibrs = false, hw_smt_enabled; uint64_t caps = 0; if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) )
+ show +
8
9
10
11
12
13
14
15
16
17
rdmsrl(MSR_ARCH_CAPABILITIES, caps); hw_smt_enabled = check_smt_enabled(); /* * Has the user specified any custom BTI mitigations? If so, follow their * instructions exactly and disable all heuristics. */ if ( opt_thunk != THUNK_DEFAULT || opt_ibrs != -1 ) {
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_before_imd_1571129851_init_speculation_mitigations.c
1
void __init init_speculation_mitigations(void)
+ show +
2
3
4
5
6
7
{ enum ind_thunk thunk = THUNK_DEFAULT; bool use_spec_ctrl = false, ibrs = false, hw_smt_enabled; uint64_t caps = 0; if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) )
+ show +
8
9
10
11
12
13
14
15
16
17
rdmsrl(MSR_ARCH_CAPABILITIES, caps); hw_smt_enabled = check_smt_enabled(); /* * Has the user specified any custom BTI mitigations? If so, follow their * instructions exactly and disable all heuristics. */ if ( opt_thunk != THUNK_DEFAULT || opt_ibrs != -1 ) {

[xen_CVE-2019-11135_1560964563_init_speculation_mitigations.diff] init_speculation_mitigations_OLD.c #2
"enabled. Mitigations will not be fully effective. Please\n" "choose an explicit smt=<bool> setting. See XSA-297.\n"); + /* + * Vulnerability to TAA is a little complicated to quantify. + * + * In the pipeline, it is just another way to get speculative access to + * stale load port, store buffer or fill buffer data, and therefore can be + * considered a superset of MDS (on TSX-capable parts). On parts which + * predate MDS_NO, the existing VERW flushing will mitigate this + * sidechannel as well. + * + * On parts which contain MDS_NO, the lack of VERW flushing means that an + * attacker can still use TSX to target microarchitectural buffers to leak + * secrets. Therefore, we consider TAA to be the set of TSX-capable parts + * which have MDS_NO but lack TAA_NO. + * + * Note: cpu_has_rtm (== hle) could already be hidden by `tsx=0` on the + * cmdline. MSR_TSX_CTRL will only appear on TSX-capable parts, so + * we check both to spot TSX in a microcode/cmdline independent way. + */ + cpu_has_bug_taa = + (cpu_has_rtm || (caps & ARCH_CAPS_TSX_CTRL)) && + (caps & (ARCH_CAPS_MDS_NO | ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO; + + /* + * On TAA-affected hardware, disabling TSX is the preferred mitigation, vs + * the MDS mitigation of disabling HT and using VERW flushing. + * + * On CPUs which advertise MDS_NO, VERW has no flushing side effect until + * the TSX_CTRL microcode is loaded, despite the MD_CLEAR CPUID bit being + * advertised, and there isn't a MD_CLEAR_2 flag to use... + * + * If we're on affected hardware, able to do something about it (which + * implies that VERW now works), no explicit TSX choice and traditional + * MDS mitigations (no-SMT, VERW) not obviosuly in use (someone might + * plausibly value TSX higher than Hyperthreading...), disable TSX to + * mitigate TAA. + */ + if ( opt_tsx == -1 && cpu_has_bug_taa && (caps & ARCH_CAPS_TSX_CTRL) && + ((hw_smt_enabled && opt_smt) || + !boot_cpu_has(X86_FEATURE_SC_VERW_IDLE)) ) + { + setup_clear_cpu_cap(X86_FEATURE_HLE); + setup_clear_cpu_cap(X86_FEATURE_RTM); + + opt_tsx = 0; + tsx_init(); + } + print_details(thunk, caps); /*
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_after_1mo_1554385593_init_speculation_mitigations.c
222
223
224
225
226
227
228
229
230
231
if ( opt_md_clear_hvm && !(caps & ARCH_CAPS_SKIP_L1DFL) && !opt_l1d_flush ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_HVM); /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT * active and no explicit SMT choice. */ if ( opt_smt == -1 && cpu_has_bug_mds && hw_smt_enabled ) warning_add( "Booted on MLPDS/MFBDS-vulnerable hardware with SMT/Hyperthreading\n"
+ show +
232
233
234
235
236
237
"enabled. Mitigations will not be fully effective. Please\n" "choose an explicit smt=<bool> setting. See XSA-297.\n"); print_details(thunk, caps); /*
+ show +
238
239
240
241
242
243
244
245
246
247
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard * any firmware settings. For performance reasons, when safe to do so, we * delay applying non-zero settings until after dom0 has been constructed. * * "when safe to do so" is based on whether we are virtualised. A native * boot won't have any other code running in a position to mount an * attack. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) {
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_before_imd_1571129851_init_speculation_mitigations.c
219
220
221
222
223
224
225
226
227
228
if ( opt_md_clear_hvm && !(caps & ARCH_CAPS_SKIP_L1DFL) && !opt_l1d_flush ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_HVM); /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT * active and no explicit SMT choice. */ if ( opt_smt == -1 && cpu_has_bug_mds && hw_smt_enabled ) warning_add( "Booted on MLPDS/MFBDS-vulnerable hardware with SMT/Hyperthreading\n"
+ show +
229
230
231
232
233
234
"enabled. Mitigations will not be fully effective. Please\n" "choose an explicit smt=<bool> setting. See XSA-297.\n"); print_details(thunk, caps); /*
+ show +
235
236
237
238
239
240
241
242
243
244
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard * any firmware settings. For performance reasons, when safe to do so, we * delay applying non-zero settings until after dom0 has been constructed. * * "when safe to do so" is based on whether we are virtualised. A native * boot won't have any other code running in a position to mount an * attack. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) {

[xen_CVE-2019-11135_1560964563_print_details.diff] print_details_OLD.c #1
printk("Speculative mitigation facilities:\n"); /* Hardware features which pertain to speculative mitigations. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "",
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_after_1mo_1554385593_print_details.c
1
2
3
4
5
6
7
8
9
10
static void __init print_details(enum ind_thunk thunk, uint64_t caps) { unsigned int _7d0 = 0, e8b = 0, tmp; /* Collect diagnostics about available mitigations. */ if ( boot_cpu_data.cpuid_level >= 7 ) cpuid_count(7, 0, &tmp, &tmp, &tmp, &_7d0); if ( boot_cpu_data.extended_cpuid_level >= 0x80000008 ) cpuid(0x80000008, &tmp, &e8b, &tmp, &tmp);
+ show +
11
12
13
14
15
16
17
printk("Speculative mitigation facilities:\n"); /* Hardware features which pertain to speculative mitigations. */ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "",
+ show +
18
19
20
21
22
23
24
25
26
27
(_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "");
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_print_details.c
1
2
3
4
5
6
7
8
9
10
static void __init print_details(enum ind_thunk thunk, uint64_t caps) { unsigned int _7d0 = 0, e8b = 0, tmp; /* Collect diagnostics about available mitigations. */ if ( boot_cpu_data.cpuid_level >= 7 ) cpuid_count(7, 0, &tmp, &tmp, &tmp, &_7d0); if ( boot_cpu_data.extended_cpuid_level >= 0x80000008 ) cpuid(0x80000008, &tmp, &e8b, &tmp, &tmp);
+ show +
11
12
13
14
15
16
17
printk("Speculative mitigation facilities:\n"); /* Hardware features which pertain to speculative mitigations. */ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "",
+ show +
18
19
20
21
22
23
24
25
26
27
(_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "");
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_before_imd_1571129851_print_details.c
1
2
3
4
5
6
7
8
9
10
static void __init print_details(enum ind_thunk thunk, uint64_t caps) { unsigned int _7d0 = 0, e8b = 0, tmp; /* Collect diagnostics about available mitigations. */ if ( boot_cpu_data.cpuid_level >= 7 ) cpuid_count(7, 0, &tmp, &tmp, &tmp, &_7d0); if ( boot_cpu_data.extended_cpuid_level >= 0x80000008 ) cpuid(0x80000008, &tmp, &e8b, &tmp, &tmp);
+ show +
11
12
13
14
15
16
17
printk("Speculative mitigation facilities:\n"); /* Hardware features which pertain to speculative mitigations. */ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "",
+ show +
18
19
20
21
22
23
24
25
26
27
(_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "");
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_after_6mo_1564580024_print_details.c
1
2
3
4
5
6
7
8
9
10
static void __init print_details(enum ind_thunk thunk, uint64_t caps) { unsigned int _7d0 = 0, e8b = 0, tmp; /* Collect diagnostics about available mitigations. */ if ( boot_cpu_data.cpuid_level >= 7 ) cpuid_count(7, 0, &tmp, &tmp, &tmp, &_7d0); if ( boot_cpu_data.extended_cpuid_level >= 0x80000008 ) cpuid(0x80000008, &tmp, &e8b, &tmp, &tmp);
+ show +
11
12
13
14
15
16
17
printk("Speculative mitigation facilities:\n"); /* Hardware features which pertain to speculative mitigations. */ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "",
+ show +
18
19
20
21
22
23
24
25
26
27
(_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "");

[xen_CVE-2019-11135_1560964563_print_details.diff] print_details_OLD.c #2
(caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", - (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : ""); + (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "", + (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", + (caps & ARCH_CAPS_TAA_NO) ? " TAA_NO" : ""); /* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_after_1mo_1554385593_print_details.c
13
14
15
16
17
18
19
20
21
22
/* Hardware features which pertain to speculative mitigations. */ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "", (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "",
+ show +
23
24
25
26
27
28
29
(caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : ""); /* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
+ show +
30
31
32
33
34
35
36
37
38
39
printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_print_details.c
13
14
15
16
17
18
19
20
21
22
/* Hardware features which pertain to speculative mitigations. */ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "", (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "",
+ show +
23
24
25
26
27
28
29
(caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : ""); /* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
+ show +
30
31
32
33
34
35
36
37
38
39
printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_before_imd_1571129851_print_details.c
13
14
15
16
17
18
19
20
21
22
/* Hardware features which pertain to speculative mitigations. */ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "", (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "",
+ show +
23
24
25
26
27
28
29
(caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : ""); /* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
+ show +
30
31
32
33
34
35
36
37
38
39
printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_after_6mo_1564580024_print_details.c
13
14
15
16
17
18
19
20
21
22
/* Hardware features which pertain to speculative mitigations. */ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "", (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "",
+ show +
23
24
25
26
27
28
29
(caps & ARCH_CAPS_RSBA) ? " RSBA" : "", (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : ""); /* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
+ show +
30
31
32
33
34
35
36
37
38
39
printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */

[xen_CVE-2019-11135_1560964563_print_details.diff] print_details_OLD.c #3
"\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_after_1mo_1554385593_print_details.c
27
28
29
30
31
32
33
34
35
36
/* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif
+ show +
37
38
39
40
41
42
43
"\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
+ show +
44
45
46
47
48
49
50
51
52
53
thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", opt_l1tf_barrier ? " L1TF_BARRIER" : "");
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_before_imd_1571129851_print_details.c
27
28
29
30
31
32
33
34
35
36
/* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif
+ show +
37
38
39
40
41
42
43
"\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
+ show +
44
45
46
47
48
49
50
51
52
53
thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", opt_branch_harden ? " BRANCH_HARDEN" : "");
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_after_6mo_1564580024_print_details.c
27
28
29
30
31
32
33
34
35
36
/* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif
+ show +
37
38
39
40
41
42
43
"\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
+ show +
44
45
46
47
48
49
50
51
52
53
thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", opt_l1tf_barrier ? " L1TF_BARRIER" : "");

[xen_CVE-2019-11135_1560964563_print_details.diff] print_details_OLD.c #4
(default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", + !(caps & ARCH_CAPS_TSX_CTRL) ? "" : + (opt_tsx & 1) ? " TSX+" : " TSX-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_after_1mo_1554385593_print_details.c
36
37
38
39
40
41
42
43
44
45
#endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" :
+ show +
46
47
48
49
50
51
(default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
+ show +
52
53
54
55
56
57
58
59
60
61
opt_l1tf_barrier ? " L1TF_BARRIER" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) printk(" L1TF: believed%s vulnerable, maxphysaddr L1D %u, CPUID %u" ", Safe address %"PRIx64"\n", cpu_has_bug_l1tf ? "" : " not", l1d_maxphysaddr, paddr_bits, l1tf_safe_maddr); /*
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_before_imd_1571129851_print_details.c
36
37
38
39
40
41
42
43
44
45
#endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" :
+ show +
46
47
48
49
50
51
(default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
+ show +
52
53
54
55
56
57
58
59
60
61
opt_branch_harden ? " BRANCH_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) printk(" L1TF: believed%s vulnerable, maxphysaddr L1D %u, CPUID %u" ", Safe address %"PRIx64"\n", cpu_has_bug_l1tf ? "" : " not", l1d_maxphysaddr, paddr_bits, l1tf_safe_maddr); /*
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_after_6mo_1564580024_print_details.c
36
37
38
39
40
41
42
43
44
45
#endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" :
+ show +
46
47
48
49
50
51
(default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
+ show +
52
53
54
55
56
57
58
59
60
61
opt_l1tf_barrier ? " L1TF_BARRIER" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) printk(" L1TF: believed%s vulnerable, maxphysaddr L1D %u, CPUID %u" ", Safe address %"PRIx64"\n", cpu_has_bug_l1tf ? "" : " not", l1d_maxphysaddr, paddr_bits, l1tf_safe_maddr); /*

[xen_CVE-2018-12126_1544642535_init_speculation_mitigations.diff] init_speculation_mitigations_OLD.c #1
"enabled. Please assess your configuration and choose an\n" "explicit 'smt=<bool>' setting. See XSA-273.\n"); + mds_calculations(caps); + + /* + * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. + * This will only be a token effort for MLPDS/MFBDS when HT is enabled, + * but it is somewhat better than nothing. + */ + if ( opt_md_clear_pv == -1 ) + opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_md_clear_hvm == -1 ) + opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + boot_cpu_has(X86_FEATURE_MD_CLEAR)); + + /* + * Enable MDS defences as applicable. The PV blocks need using all the + * time, and the Idle blocks need using if either PV or HVM defences are + * used. + * + * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with + * equivelent semantics to avoid needing to perform both flushes on the + * HVM path. The HVM blocks don't need activating if our hypervisor told + * us it was handling L1D_FLUSH, or we are using L1D_FLUSH ourselves. + */ + if ( opt_md_clear_pv ) + setup_force_cpu_cap(X86_FEATURE_SC_VERW_PV); + if ( opt_md_clear_pv || opt_md_clear_hvm ) + setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); + if ( opt_md_clear_hvm && !(caps & ARCH_CAPS_SKIP_L1DFL) && !opt_l1d_flush ) + setup_force_cpu_cap(X86_FEATURE_SC_VERW_HVM); + + /* + * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT + * active and no explicit SMT choice. + */ + if ( opt_smt == -1 && cpu_has_bug_mds && hw_smt_enabled ) + warning_add( + "Booted on MLPDS/MFBDS-vulnerable hardware with SMT/Hyperthreading\n" + "enabled. Mitigations will not be fully effective. Please\n" + "choose an explicit smt=<bool> setting. See XSA-297.\n"); + print_details(thunk, caps); /*
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_init_speculation_mitigations.c
181
182
183
184
185
186
187
188
189
190
* guests, HT isn't a concern and should remain fully enabled. Secondly, * safety for HVM HAP guests can be arranged by the toolstack with core * parking, pinning or cpupool configurations, including mixed setups. * * However, if we are on affected hardware, with HT enabled, and the user * hasn't explicitly chosen whether to use HT or not, nag them to do so. */ if ( opt_smt == -1 && cpu_has_bug_l1tf && !pv_shim && hw_smt_enabled ) warning_add( "Booted on L1TF-vulnerable hardware with SMT/Hyperthreading\n"
+ show +
191
192
193
194
195
196
"enabled. Please assess your configuration and choose an\n" "explicit 'smt=<bool>' setting. See XSA-273.\n"); print_details(thunk, caps); /*
+ show +
197
198
199
200
201
202
203
204
205
206
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard * any firmware settings. For performance reasons, when safe to do so, we * delay applying non-zero settings until after dom0 has been constructed. * * "when safe to do so" is based on whether we are virtualised. A native * boot won't have any other code running in a position to mount an * attack. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) {
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_after_1mo_1534335330_init_speculation_mitigations.c
183
184
185
186
187
188
189
190
191
192
* safety for HVM HAP guests can be arranged by the toolstack with core * parking, pinning or cpupool configurations, including mixed setups. * * However, if we are on affected hardware, with HT enabled, and the user * hasn't explicitly chosen whether to use HT or not, nag them to do so. */ if ( opt_smt == -1 && cpu_has_bug_l1tf && !pv_shim && boot_cpu_data.x86_num_siblings > 1 ) warning_add( "Booted on L1TF-vulnerable hardware with SMT/Hyperthreading\n"
+ show +
193
194
195
196
197
198
"enabled. Please assess your configuration and choose an\n" "explicit 'smt=<bool>' setting. See XSA-273.\n"); print_details(thunk, caps); /*
+ show +
199
200
201
202
203
204
205
206
207
208
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard * any firmware settings. For performance reasons, when safe to do so, we * delay applying non-zero settings until after dom0 has been constructed. * * "when safe to do so" is based on whether we are virtualised. A native * boot won't have any other code running in a position to mount an * attack. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) {
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_before_1mo_1538657396_init_speculation_mitigations.c
174
175
176
177
178
179
180
181
182
183
* safety for HVM HAP guests can be arranged by the toolstack with core * parking, pinning or cpupool configurations, including mixed setups. * * However, if we are on affected hardware, with HT enabled, and the user * hasn't explicitly chosen whether to use HT or not, nag them to do so. */ if ( opt_smt == -1 && cpu_has_bug_l1tf && !pv_shim && boot_cpu_data.x86_num_siblings > 1 ) warning_add( "Booted on L1TF-vulnerable hardware with SMT/Hyperthreading\n"
+ show +
184
185
186
187
188
189
"enabled. Please assess your configuration and choose an\n" "explicit 'smt=<bool>' setting. See XSA-273.\n"); print_details(thunk, caps); /*
+ show +
190
191
192
193
194
195
196
197
198
199
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard * any firmware settings. For performance reasons, when safe to do so, we * delay applying non-zero settings until after dom0 has been constructed. * * "when safe to do so" is based on whether we are virtualised. A native * boot won't have any other code running in a position to mount an * attack. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) {

[xen_CVE-2018-12126_1544642535_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #1
disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; + opt_md_clear_pv = 0; + opt_md_clear_hvm = 0; opt_thunk = THUNK_JMP; opt_ibrs = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_parse_spec_ctrl.c
25
26
27
28
29
30
31
32
33
34
if ( opt_smt < 0 ) opt_smt = 1; if ( opt_pv_l1tf_hwdom < 0 ) opt_pv_l1tf_hwdom = 0; if ( opt_pv_l1tf_domu < 0 ) opt_pv_l1tf_domu = 0; opt_l1tf_barrier = 0;
+ show +
35
36
37
38
39
40
disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; opt_thunk = THUNK_JMP; opt_ibrs = 0;
+ show +
41
42
43
44
45
46
47
48
49
50
opt_ibpb = false; opt_ssbd = false; opt_l1d_flush = 0; } else if ( val > 0 ) rc = -EINVAL; else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_imd_1522246899_parse_spec_ctrl.c
10
11
12
13
14
15
16
17
18
19
/* Global and Xen-wide disable. */ val = parse_bool(s, ss); if ( !val ) { opt_msr_sc_pv = false; opt_msr_sc_hvm = false; opt_eager_fpu = 0;
+ show +
20
21
22
23
24
25
disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; opt_thunk = THUNK_JMP; opt_ibrs = 0;
+ show +
26
27
28
29
30
31
32
33
34
35
opt_ibpb = false; opt_ssbd = false; } else if ( val > 0 ) rc = -EINVAL; else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3665_before_imd_1527590332_parse_spec_ctrl.c
8
9
10
11
12
13
14
15
16
17
if ( !ss ) ss = strchr(s, '\0'); /* Global and Xen-wide disable. */ val = parse_bool(s, ss); if ( !val ) { opt_msr_sc_pv = false; opt_msr_sc_hvm = false;
+ show +
18
19
20
21
22
23
disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; opt_thunk = THUNK_JMP; opt_ibrs = 0;
+ show +
24
25
26
27
28
29
30
31
32
33
opt_ibpb = false; } else if ( val > 0 ) rc = -EINVAL; else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL;
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_before_1mo_1538657396_parse_spec_ctrl.c
23
24
25
26
27
28
29
30
31
32
opt_xpti_domu = 0; if ( opt_smt < 0 ) opt_smt = 1; if ( opt_pv_l1tf_hwdom < 0 ) opt_pv_l1tf_hwdom = 0; if ( opt_pv_l1tf_domu < 0 ) opt_pv_l1tf_domu = 0;
+ show +
33
34
35
36
37
38
disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; opt_thunk = THUNK_JMP; opt_ibrs = 0;
+ show +
39
40
41
42
43
44
45
46
47
48
opt_ibpb = false; opt_ssbd = false; opt_l1d_flush = 0; } else if ( val > 0 ) rc = -EINVAL; else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common;
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_before_6mo_1528387237_parse_spec_ctrl.c
8
9
10
11
12
13
14
15
16
17
if ( !ss ) ss = strchr(s, '\0'); /* Global and Xen-wide disable. */ val = parse_bool(s, ss); if ( !val ) { opt_msr_sc_pv = false; opt_msr_sc_hvm = false;
+ show +
18
19
20
21
22
23
disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; opt_thunk = THUNK_JMP; opt_ibrs = 0;
+ show +
24
25
26
27
28
29
30
31
32
33
opt_ibpb = false; opt_eager_fpu = 0; } else if ( val > 0 ) rc = -EINVAL; else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common;
.\cloneFuncs\totalClone\Type-3\CVE-2018-3620_after_1mo_1534335330_parse_spec_ctrl.c
19
20
21
22
23
24
25
26
27
28
if ( opt_xpti < 0 ) opt_xpti = 0; if ( opt_smt < 0 ) opt_smt = 1; if ( opt_pv_l1tf < 0 ) opt_pv_l1tf = 0;
+ show +
29
30
31
32
33
34
disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; opt_thunk = THUNK_JMP; opt_ibrs = 0;
+ show +
35
36
37
38
39
40
41
42
43
44
opt_ibpb = false; opt_ssbd = false; opt_l1d_flush = 0; } else if ( val > 0 ) rc = -EINVAL; else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common;

[xen_CVE-2018-12126_1544642535_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #2
{ opt_msr_sc_pv = val; opt_rsb_pv = val; + opt_md_clear_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; + opt_md_clear_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) {
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_parse_spec_ctrl.c
47
48
49
50
51
52
53
54
55
56
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ show +
57
58
59
60
61
62
63
64
65
66
67
{ opt_msr_sc_pv = val; opt_rsb_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) {
+ show +
68
69
70
71
72
73
74
75
76
77
opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) { opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_imd_1522246899_parse_spec_ctrl.c
31
32
33
34
35
36
37
38
39
40
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ show +
41
42
43
44
45
46
47
48
49
50
51
{ opt_msr_sc_pv = val; opt_rsb_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) {
+ show +
52
53
54
55
56
57
58
59
60
61
opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) { opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */
.\cloneFuncs\totalClone\Type-1\CVE-2018-3665_before_imd_1527590332_parse_spec_ctrl.c
28
29
30
31
32
33
34
35
36
37
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ show +
38
39
40
41
42
43
44
45
46
47
48
{ opt_msr_sc_pv = val; opt_rsb_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) {
+ show +
49
50
51
52
53
54
55
56
57
58
opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) { opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_before_1mo_1538657396_parse_spec_ctrl.c
45
46
47
48
49
50
51
52
53
54
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ show +
55
56
57
58
59
60
61
62
63
64
65
{ opt_msr_sc_pv = val; opt_rsb_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) {
+ show +
66
67
68
69
70
71
72
73
74
75
opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) { opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_before_6mo_1528387237_parse_spec_ctrl.c
29
30
31
32
33
34
35
36
37
38
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ show +
39
40
41
42
43
44
45
46
47
48
49
{ opt_msr_sc_pv = val; opt_rsb_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) {
+ show +
50
51
52
53
54
55
56
57
58
59
opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) { opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */
.\cloneFuncs\totalClone\Type-3\CVE-2018-3620_after_1mo_1534335330_parse_spec_ctrl.c
41
42
43
44
45
46
47
48
49
50
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ show +
51
52
53
54
55
56
57
58
59
60
61
{ opt_msr_sc_pv = val; opt_rsb_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) {
+ show +
62
63
64
65
66
67
68
69
70
71
opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) { opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */

[xen_CVE-2018-12126_1544642535_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #3
opt_rsb_pv = val; opt_rsb_hvm = val; } + else if ( (val = parse_boolean("md-clear", s, ss)) >= 0 ) + { + opt_md_clear_pv = val; + opt_md_clear_hvm = val; + } /* Xen's speculative sidechannel mitigation settings. */ else if ( !strncmp(s, "bti-thunk=", 10) )
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_parse_spec_ctrl.c
63
64
65
66
67
68
69
70
71
72
opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) { opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) {
+ show +
73
74
75
76
77
78
opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */ else if ( !strncmp(s, "bti-thunk=", 10) )
+ show +
79
80
81
82
83
84
85
86
87
88
{ s += 10; if ( !cmdline_strcmp(s, "retpoline") ) opt_thunk = THUNK_RETPOLINE; else if ( !cmdline_strcmp(s, "lfence") ) opt_thunk = THUNK_LFENCE; else if ( !cmdline_strcmp(s, "jmp") ) opt_thunk = THUNK_JMP; else
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_imd_1522246899_parse_spec_ctrl.c
47
48
49
50
51
52
53
54
55
56
opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) { opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) {
+ show +
57
58
59
60
61
62
opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */ else if ( !strncmp(s, "bti-thunk=", 10) )
+ show +
63
64
65
66
67
68
69
70
71
72
{ s += 10; if ( !strncmp(s, "retpoline", ss - s) ) opt_thunk = THUNK_RETPOLINE; else if ( !strncmp(s, "lfence", ss - s) ) opt_thunk = THUNK_LFENCE; else if ( !strncmp(s, "jmp", ss - s) ) opt_thunk = THUNK_JMP; else
.\cloneFuncs\totalClone\Type-1\CVE-2018-3665_before_imd_1527590332_parse_spec_ctrl.c
44
45
46
47
48
49
50
51
52
53
opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) { opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) {
+ show +
54
55
56
57
58
59
opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */ else if ( !strncmp(s, "bti-thunk=", 10) )
+ show +
60
61
62
63
64
65
66
67
68
69
{ s += 10; if ( !strncmp(s, "retpoline", ss - s) ) opt_thunk = THUNK_RETPOLINE; else if ( !strncmp(s, "lfence", ss - s) ) opt_thunk = THUNK_LFENCE; else if ( !strncmp(s, "jmp", ss - s) ) opt_thunk = THUNK_JMP; else
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_before_1mo_1538657396_parse_spec_ctrl.c
61
62
63
64
65
66
67
68
69
70
opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) { opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) {
+ show +
71
72
73
74
75
76
opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */ else if ( !strncmp(s, "bti-thunk=", 10) )
+ show +
77
78
79
80
81
82
83
84
85
86
{ s += 10; if ( !strncmp(s, "retpoline", ss - s) ) opt_thunk = THUNK_RETPOLINE; else if ( !strncmp(s, "lfence", ss - s) ) opt_thunk = THUNK_LFENCE; else if ( !strncmp(s, "jmp", ss - s) ) opt_thunk = THUNK_JMP; else
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_before_6mo_1528387237_parse_spec_ctrl.c
45
46
47
48
49
50
51
52
53
54
opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) { opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) {
+ show +
55
56
57
58
59
60
opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */ else if ( !strncmp(s, "bti-thunk=", 10) )
+ show +
61
62
63
64
65
66
67
68
69
70
{ s += 10; if ( !strncmp(s, "retpoline", ss - s) ) opt_thunk = THUNK_RETPOLINE; else if ( !strncmp(s, "lfence", ss - s) ) opt_thunk = THUNK_LFENCE; else if ( !strncmp(s, "jmp", ss - s) ) opt_thunk = THUNK_JMP; else
.\cloneFuncs\totalClone\Type-3\CVE-2018-3620_after_1mo_1534335330_parse_spec_ctrl.c
57
58
59
60
61
62
63
64
65
66
opt_msr_sc_hvm = val; opt_rsb_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) { opt_msr_sc_pv = val; opt_msr_sc_hvm = val; } else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) {
+ show +
67
68
69
70
71
72
opt_rsb_pv = val; opt_rsb_hvm = val; } /* Xen's speculative sidechannel mitigation settings. */ else if ( !strncmp(s, "bti-thunk=", 10) )
+ show +
73
74
75
76
77
78
79
80
81
82
{ s += 10; if ( !strncmp(s, "retpoline", ss - s) ) opt_thunk = THUNK_RETPOLINE; else if ( !strncmp(s, "lfence", ss - s) ) opt_thunk = THUNK_LFENCE; else if ( !strncmp(s, "jmp", ss - s) ) opt_thunk = THUNK_JMP; else

[xen_CVE-2018-12126_1544642535_print_details.diff] print_details_OLD.c #1
"\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_print_details.c
27
28
29
30
31
32
33
34
35
36
/* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif
+ show +
37
38
39
40
41
42
43
"\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
+ show +
44
45
46
47
48
49
50
51
52
53
thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_l1tf_barrier ? " L1TF_BARRIER" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */

[xen_CVE-2018-12126_1544642535_print_details.diff] print_details_OLD.c #2
(default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", + opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", opt_l1tf_barrier ? " L1TF_BARRIER" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1536759360_print_details.c
38
39
40
41
42
43
44
45
46
47
/* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" :
+ show +
48
49
50
51
52
53
(default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_l1tf_barrier ? " L1TF_BARRIER" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */
+ show +
54
55
56
57
58
59
60
61
62
63
if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) printk(" L1TF: believed%s vulnerable, maxphysaddr L1D %u, CPUID %u" ", Safe address %"PRIx64"\n", cpu_has_bug_l1tf ? "" : " not", l1d_maxphysaddr, paddr_bits, l1tf_safe_maddr); /* * Alternatives blocks for protecting against and/or virtualising * mitigation support for guests. */

[linux_CVE-2018-12126_1547859016_cpu_set_bug_bits.diff] cpu_set_bug_bits_OLD.c #1
if (ia32_cap & ARCH_CAP_IBRS_ALL) setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); + if (!cpu_matches(NO_MDS) && !(ia32_cap & ARCH_CAP_MDS_NO)) + setup_force_cpu_bug(X86_BUG_MDS); + if (cpu_matches(NO_MELTDOWN)) return;
.\cloneFuncs\totalClone\Type-1\CVE-2018-12126_before_imd_1551258623_cpu_set_bug_bits.c
8
9
10
11
12
13
14
15
16
17
setup_force_cpu_bug(X86_BUG_SPECTRE_V1); setup_force_cpu_bug(X86_BUG_SPECTRE_V2); if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) && !cpu_has(c, X86_FEATURE_AMD_SSB_NO)) setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
+ show +
18
19
20
21
22
if (ia32_cap & ARCH_CAP_IBRS_ALL) setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); if (cpu_matches(NO_MELTDOWN)) return;
+ show +
23
24
25
26
27
28
29
30
31
32
/* Rogue Data Cache Load? No! */ if (ia32_cap & ARCH_CAP_RDCL_NO) return; setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); if (cpu_matches(NO_L1TF)) return;

[linux_CVE-2018-16880_1548659105_vhost_vsock_dev_open.diff] vhost_vsock_dev_open_OLD.c #1
vsock->vqs[VSOCK_VQ_TX].handle_kick = vhost_vsock_handle_tx_kick; vsock->vqs[VSOCK_VQ_RX].handle_kick = vhost_vsock_handle_rx_kick; - vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs)); + vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs), UIO_MAXIOV); file->private_data = vsock; spin_lock_init(&vsock->send_pkt_list_lock);
.\cloneFuncs\totalClone\Type-1\CVE-2018-14625_after_1mo_1546484085_vhost_vsock_dev_open.c
16
17
18
19
20
21
22
23
24
25
ret = -ENOMEM; goto out; } vsock->guest_cid = 0; /* no CID assigned yet */ atomic_set(&vsock->queued_replies, 0); vqs[VSOCK_VQ_TX] = &vsock->vqs[VSOCK_VQ_TX]; vqs[VSOCK_VQ_RX] = &vsock->vqs[VSOCK_VQ_RX];
+ show +
26
27
28
29
30
31
32
vsock->vqs[VSOCK_VQ_TX].handle_kick = vhost_vsock_handle_tx_kick; vsock->vqs[VSOCK_VQ_RX].handle_kick = vhost_vsock_handle_rx_kick; vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs)); file->private_data = vsock; spin_lock_init(&vsock->send_pkt_list_lock);
+ show +
33
34
35
36
37
38
39
40
INIT_LIST_HEAD(&vsock->send_pkt_list); vhost_work_init(&vsock->send_pkt_work, vhost_transport_send_pkt_work); return 0; out: vhost_vsock_free(vsock); return ret; }
.\cloneFuncs\totalClone\Type-1\CVE-2018-14625_before_1mo_1523067701_vhost_vsock_dev_open.c
16
17
18
19
20
21
22
23
24
25
ret = -ENOMEM; goto out; } vsock->guest_cid = 0; /* no CID assigned yet */ atomic_set(&vsock->queued_replies, 0); vqs[VSOCK_VQ_TX] = &vsock->vqs[VSOCK_VQ_TX]; vqs[VSOCK_VQ_RX] = &vsock->vqs[VSOCK_VQ_RX];
+ show +
26
27
28
29
30
31
32
vsock->vqs[VSOCK_VQ_TX].handle_kick = vhost_vsock_handle_tx_kick; vsock->vqs[VSOCK_VQ_RX].handle_kick = vhost_vsock_handle_rx_kick; vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs)); file->private_data = vsock; spin_lock_init(&vsock->send_pkt_list_lock);
+ show +
33
34
35
36
37
38
39
40
41
42
INIT_LIST_HEAD(&vsock->send_pkt_list); vhost_work_init(&vsock->send_pkt_work, vhost_transport_send_pkt_work); spin_lock_bh(&vhost_vsock_lock); list_add_tail(&vsock->list, &vhost_vsock_list); spin_unlock_bh(&vhost_vsock_lock); return 0; out: vhost_vsock_free(vsock);

[linux_CVE-2018-14625_1541414147_vhost_transport_cancel_pkt.diff] vhost_transport_cancel_pkt_OLD.c #1
struct vhost_vsock *vsock; struct virtio_vsock_pkt *pkt, *n; int cnt = 0; + int ret = -ENODEV; LIST_HEAD(freeme); + rcu_read_lock(); + /* Find the vhost_vsock according to guest context id */ vsock = vhost_vsock_get(vsk->remote_addr.svm_cid); if (!vsock) - return -ENODEV; + goto out; spin_lock_bh(&vsock->send_pkt_list_lock); list_for_each_entry_safe(pkt, n, &vsock->send_pkt_list, list) {
.\cloneFuncs\totalClone\Type-1\CVE-2018-14625_before_1mo_1523067701_vhost_transport_cancel_pkt.c
1
2
3
static int vhost_transport_cancel_pkt(struct vsock_sock *vsk) {
+ show +
4
5
6
7
8
9
10
11
12
13
14
15
struct vhost_vsock *vsock; struct virtio_vsock_pkt *pkt, *n; int cnt = 0; LIST_HEAD(freeme); /* Find the vhost_vsock according to guest context id */ vsock = vhost_vsock_get(vsk->remote_addr.svm_cid); if (!vsock) return -ENODEV; spin_lock_bh(&vsock->send_pkt_list_lock); list_for_each_entry_safe(pkt, n, &vsock->send_pkt_list, list) {
+ show +
16
17
18
19
20
21
22
23
24
25
if (pkt->vsk != vsk) continue; list_move(&pkt->list, &freeme); } spin_unlock_bh(&vsock->send_pkt_list_lock); list_for_each_entry_safe(pkt, n, &freeme, list) { if (pkt->reply) cnt++; list_del(&pkt->list);

[linux_CVE-2018-14625_1541414147_vhost_transport_send_pkt.diff] vhost_transport_send_pkt_OLD.c #1
struct vhost_vsock *vsock; int len = pkt->len; + rcu_read_lock(); + /* Find the vhost_vsock according to guest context id */ vsock = vhost_vsock_get(le64_to_cpu(pkt->hdr.dst_cid)); if (!vsock) { + rcu_read_unlock(); virtio_transport_free_pkt(pkt); return -ENODEV; }
.\cloneFuncs\totalClone\Type-1\CVE-2018-14625_before_1mo_1523067701_vhost_transport_send_pkt.c
1
2
3
static int vhost_transport_send_pkt(struct virtio_vsock_pkt *pkt) {
+ show +
4
5
6
7
8
9
10
11
12
struct vhost_vsock *vsock; int len = pkt->len; /* Find the vhost_vsock according to guest context id */ vsock = vhost_vsock_get(le64_to_cpu(pkt->hdr.dst_cid)); if (!vsock) { virtio_transport_free_pkt(pkt); return -ENODEV; }
+ show +
13
14
15
16
17
18
19
20
21
22
if (pkt->reply) atomic_inc(&vsock->queued_replies); spin_lock_bh(&vsock->send_pkt_list_lock); list_add_tail(&pkt->list, &vsock->send_pkt_list); spin_unlock_bh(&vsock->send_pkt_list_lock); vhost_work_queue(&vsock->dev, &vsock->send_pkt_work); return len;

[linux_CVE-2018-14625_1541414147_vhost_vsock_dev_release.diff] vhost_vsock_dev_release_OLD.c #1
struct vhost_vsock *vsock = file->private_data; spin_lock_bh(&vhost_vsock_lock); - list_del(&vsock->list); + if (vsock->guest_cid) + hash_del_rcu(&vsock->hash); spin_unlock_bh(&vhost_vsock_lock); + /* Wait for other CPUs to finish using vsock */ + synchronize_rcu(); + /* Iterating over all connections for all CIDs to find orphans is * inefficient. Room for improvement here. */ vsock_for_each_connected_socket(vhost_vsock_reset_orphans);
.\cloneFuncs\totalClone\Type-1\CVE-2018-14625_before_1mo_1523067701_vhost_vsock_dev_release.c
1
2
static int vhost_vsock_dev_release(struct inode *inode, struct file *file) {
+ show +
3
4
5
6
7
8
9
10
11
struct vhost_vsock *vsock = file->private_data; spin_lock_bh(&vhost_vsock_lock); list_del(&vsock->list); spin_unlock_bh(&vhost_vsock_lock); /* Iterating over all connections for all CIDs to find orphans is * inefficient. Room for improvement here. */ vsock_for_each_connected_socket(vhost_vsock_reset_orphans);
+ show +
12
13
14
15
16
17
18
19
20
21
vhost_vsock_stop(vsock); vhost_vsock_flush(vsock); vhost_dev_stop(&vsock->dev); spin_lock_bh(&vsock->send_pkt_list_lock); while (!list_empty(&vsock->send_pkt_list)) { struct virtio_vsock_pkt *pkt; pkt = list_first_entry(&vsock->send_pkt_list,

[linux_CVE-2018-14633_1536466166_chap_server_compute_md5.diff] chap_server_compute_md5_OLD.c #1
pr_err("Could not find CHAP_R.\n"); goto out; } + if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) { + pr_err("Malformed CHAP_R\n"); + goto out; + } + if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) { + pr_err("Malformed CHAP_R\n"); + goto out; + } pr_debug("[server] Got CHAP_R=%s\n", chap_r); - chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); tfm = crypto_alloc_shash("md5", 0, 0); if (IS_ERR(tfm)) {
.\cloneFuncs\totalClone\Type-1\CVE-2018-14633_before_imd_1513185750_chap_server_compute_md5.c
61
62
63
64
65
66
67
68
69
70
pr_debug("[server] Got CHAP_N=%s\n", chap_n); /* * Extract CHAP_R. */ if (extract_param(nr_in_ptr, "CHAP_R", MAX_RESPONSE_LENGTH, chap_r, &type) < 0) { pr_err("Could not find CHAP_R.\n"); goto out; } if (type != HEX) {
+ show +
71
72
73
74
75
76
77
78
79
pr_err("Could not find CHAP_R.\n"); goto out; } pr_debug("[server] Got CHAP_R=%s\n", chap_r); chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); tfm = crypto_alloc_shash("md5", 0, 0); if (IS_ERR(tfm)) {
+ show +
80
81
82
83
84
85
86
87
88
89
tfm = NULL; pr_err("Unable to allocate struct crypto_shash\n"); goto out; } desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); if (!desc) { pr_err("Unable to allocate struct shash_desc\n"); goto out; }
.\cloneFuncs\totalClone\Type-3\CVE-2018-14633_before_1mo_1496889266_chap_server_compute_md5.c
61
62
63
64
65
66
67
68
69
70
pr_debug("[server] Got CHAP_N=%s\n", chap_n); /* * Extract CHAP_R. */ if (extract_param(nr_in_ptr, "CHAP_R", MAX_RESPONSE_LENGTH, chap_r, &type) < 0) { pr_err("Could not find CHAP_R.\n"); goto out; } if (type != HEX) {
+ show +
71
72
73
74
75
76
77
78
79
pr_err("Could not find CHAP_R.\n"); goto out; } pr_debug("[server] Got CHAP_R=%s\n", chap_r); chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); tfm = crypto_alloc_shash("md5", 0, 0); if (IS_ERR(tfm)) {
+ show +
80
81
82
83
84
85
86
87
88
89
tfm = NULL; pr_err("Unable to allocate struct crypto_shash\n"); goto out; } desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); if (!desc) { pr_err("Unable to allocate struct shash_desc\n"); goto out; }

[linux_CVE-2018-14633_1536466166_chap_server_compute_md5.diff] chap_server_compute_md5_OLD.c #2
pr_err("Could not find CHAP_C.\n"); goto out; } - pr_debug("[server] Got CHAP_C=%s\n", challenge); - challenge_len = chap_string_to_hex(challenge_binhex, challenge, - strlen(challenge)); + challenge_len = DIV_ROUND_UP(strlen(challenge), 2); if (!challenge_len) { pr_err("Unable to convert incoming challenge\n"); goto out;
.\cloneFuncs\totalClone\Type-1\CVE-2018-14633_before_imd_1513185750_chap_server_compute_md5.c
162
163
164
165
166
167
168
169
170
171
/* * Get CHAP_C. */ if (extract_param(nr_in_ptr, "CHAP_C", CHAP_CHALLENGE_STR_LEN, challenge, &type) < 0) { pr_err("Could not find CHAP_C.\n"); goto out; } if (type != HEX) {
+ show +
172
173
174
175
176
177
178
179
180
pr_err("Could not find CHAP_C.\n"); goto out; } pr_debug("[server] Got CHAP_C=%s\n", challenge); challenge_len = chap_string_to_hex(challenge_binhex, challenge, strlen(challenge)); if (!challenge_len) { pr_err("Unable to convert incoming challenge\n"); goto out;
+ show +
181
182
183
184
185
186
187
188
189
190
} if (challenge_len > 1024) { pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); goto out; } /* * During mutual authentication, the CHAP_C generated by the * initiator must not match the original CHAP_C generated by * the target. */
.\cloneFuncs\totalClone\Type-3\CVE-2018-14633_before_1mo_1496889266_chap_server_compute_md5.c
162
163
164
165
166
167
168
169
170
171
/* * Get CHAP_C. */ if (extract_param(nr_in_ptr, "CHAP_C", CHAP_CHALLENGE_STR_LEN, challenge, &type) < 0) { pr_err("Could not find CHAP_C.\n"); goto out; } if (type != HEX) {
+ show +
172
173
174
175
176
177
178
179
180
pr_err("Could not find CHAP_C.\n"); goto out; } pr_debug("[server] Got CHAP_C=%s\n", challenge); challenge_len = chap_string_to_hex(challenge_binhex, challenge, strlen(challenge)); if (!challenge_len) { pr_err("Unable to convert incoming challenge\n"); goto out;
+ show +
181
182
183
184
185
186
187
188
189
190
} if (challenge_len > 1024) { pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); goto out; } /* * During mutual authentication, the CHAP_C generated by the * initiator must not match the original CHAP_C generated by * the target. */

[linux_CVE-2018-14633_1536466166_chap_server_compute_md5.diff] chap_server_compute_md5_OLD.c #3
pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); goto out; } + if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) { + pr_err("Malformed CHAP_C\n"); + goto out; + } + pr_debug("[server] Got CHAP_C=%s\n", challenge); /* * During mutual authentication, the CHAP_C generated by the * initiator must not match the original CHAP_C generated by
.\cloneFuncs\totalClone\Type-1\CVE-2018-14633_before_imd_1513185750_chap_server_compute_md5.c
173
174
175
176
177
178
179
180
181
182
goto out; } pr_debug("[server] Got CHAP_C=%s\n", challenge); challenge_len = chap_string_to_hex(challenge_binhex, challenge, strlen(challenge)); if (!challenge_len) { pr_err("Unable to convert incoming challenge\n"); goto out; } if (challenge_len > 1024) {
+ show +
183
184
185
186
187
188
pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); goto out; } /* * During mutual authentication, the CHAP_C generated by the * initiator must not match the original CHAP_C generated by
+ show +
189
190
191
192
193
194
195
196
197
198
* the target. */ if (!memcmp(challenge_binhex, chap->challenge, CHAP_CHALLENGE_LENGTH)) { pr_err("initiator CHAP_C matches target CHAP_C, failing" " login attempt\n"); goto out; } /* * Generate CHAP_N and CHAP_R for mutual authentication. */
.\cloneFuncs\totalClone\Type-3\CVE-2018-14633_before_1mo_1496889266_chap_server_compute_md5.c
173
174
175
176
177
178
179
180
181
182
goto out; } pr_debug("[server] Got CHAP_C=%s\n", challenge); challenge_len = chap_string_to_hex(challenge_binhex, challenge, strlen(challenge)); if (!challenge_len) { pr_err("Unable to convert incoming challenge\n"); goto out; } if (challenge_len > 1024) {
+ show +
183
184
185
186
187
188
pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); goto out; } /* * During mutual authentication, the CHAP_C generated by the * initiator must not match the original CHAP_C generated by
+ show +
189
190
191
192
193
194
195
196
197
198
* the target. */ if (!memcmp(challenge_binhex, chap->challenge, CHAP_CHALLENGE_LENGTH)) { pr_err("initiator CHAP_C matches target CHAP_C, failing" " login attempt\n"); goto out; } /* * Generate CHAP_N and CHAP_R for mutual authentication. */

[tcpdump_CVE-2018-16300_1536265581_bgp_attr_print.diff] bgp_attr_print_OLD.c #1
static int bgp_attr_print(netdissect_options *ndo, - uint8_t atype, const u_char *pptr, u_int len) + uint8_t atype, const u_char *pptr, u_int len, + const unsigned attr_set_level) { u_int i; uint16_t af;
.\cloneFuncs\totalClone\Type-1\CVE-2018-16300_before_imd_1567093481_bgp_attr_print.c
+ show +
1
2
3
4
5
6
static int bgp_attr_print(netdissect_options *ndo, uint8_t atype, const u_char *pptr, u_int len) { u_int i; uint16_t af;
+ show +
7
8
9
10
11
12
13
14
15
16
uint8_t safi, snpa, nhlen; int advance; u_int tlen; const u_char *tptr; char buf[MAXHOSTNAMELEN + 100]; u_int as_size; int add_path4, add_path6; int ret; tptr = pptr;

[tcpdump_CVE-2018-16300_1536265581_bgp_attr_print.diff] bgp_attr_print_OLD.c #2
tptr += len; break; } - /* FIXME check for recursion */ - if (!bgp_attr_print(ndo, atype, tptr, alen)) + /* + * The protocol encoding per se allows ATTR_SET to be nested + * as many times as the message can accommodate. This printer + * used to be able to recurse into ATTR_SET contents until the + * stack exhaustion, but now there is a limit on that (if live + * protocol exchange goes that many levels deep, something is + * probably wrong anyway). Feel free to refine this value if + * you can find the spec with respective normative text. + */ + if (attr_set_level == 10) + ND_PRINT("(too many nested levels, not recursing)"); + else if (!bgp_attr_print(ndo, atype, tptr, alen, attr_set_level + 1)) return 0; tptr += alen; len -= alen;
.\cloneFuncs\totalClone\Type-1\CVE-2018-16300_before_imd_1567093481_bgp_attr_print.c
569
570
571
572
573
574
575
576
577
578
aflags & 0x40 ? "T" : "", aflags & 0x20 ? "P" : "", aflags & 0x10 ? "E" : ""); if (aflags & 0xf) ND_PRINT("+%x", aflags & 0xf); ND_PRINT("]"); } ND_PRINT(": "); if (len < alen) { ND_PRINT(" [path attr too short]");
+ show +
579
580
581
582
583
584
585
586
tptr += len; break; } /* FIXME check for recursion */ if (!bgp_attr_print(ndo, atype, tptr, alen)) return 0; tptr += alen; len -= alen;
+ show +
587
588
589
590
591
592
593
594
595
596
} break; case BGPTYPE_LARGE_COMMUNITY: if (len == 0 || len % 12) { ND_PRINT("invalid len"); break; } ND_PRINT("\n\t "); while (len != 0) {
.\cloneFuncs\totalClone\Type-4\CVE-2017-13046_after_6mo_1517362173_bgp_attr_print.c
975
976
977
978
979
980
981
982
983
984
aflags & 0x40 ? "T" : "", aflags & 0x20 ? "P" : "", aflags & 0x10 ? "E" : ""); if (aflags & 0xf) ND_PRINT("+%x", aflags & 0xf); ND_PRINT("]"); } ND_PRINT(": "); if (len < alen) { ND_PRINT(" [path attr too short]");
+ show +
985
986
987
988
989
990
991
992
tptr += len; break; } /* FIXME check for recursion */ if (!bgp_attr_print(ndo, atype, tptr, alen)) return 0; tptr += alen; len -= alen;
+ show +
993
994
995
996
997
998
999
1000
1001
1002
} break; case BGPTYPE_LARGE_COMMUNITY: if (len == 0 || len % 12) { ND_PRINT("invalid len"); break; } ND_PRINT("\n\t "); while (len != 0) {

[tcpdump_CVE-2018-16300_1536265581_bgp_update_print.diff] bgp_update_print_OLD.c #1
} if (length < alen) goto trunc; - if (!bgp_attr_print(ndo, atype, p, alen)) + if (!bgp_attr_print(ndo, atype, p, alen, 0)) goto trunc; p += alen; len -= alen;
.\cloneFuncs\totalClone\Type-1\CVE-2018-16300_before_imd_1567093481_bgp_update_print.c
134
135
136
137
138
139
140
141
142
143
aflags & 0x10 ? "E" : ""); if (aflags & 0xf) ND_PRINT("+%x", aflags & 0xf); ND_PRINT("]: "); } if (len < alen) { ND_PRINT(" [path attrs too short]"); p += len; length -= len; break;
+ show +
144
145
146
147
148
149
150
} if (length < alen) goto trunc; if (!bgp_attr_print(ndo, atype, p, alen)) goto trunc; p += alen; len -= alen;
+ show +
151
152
153
154
155
156
157
158
159
160
length -= alen; } } if (length) { add_path = check_add_path(ndo, p, length, 32); ND_PRINT("\n\t Updated routes:"); while (length != 0) { if (add_path) { ND_TCHECK_4(p);
.\cloneFuncs\totalClone\Type-3\CVE-2018-16300_before_1mo_1533240082_bgp_update_print.c
133
134
135
136
137
138
139
140
141
142
aflags & 0x10 ? "E" : ""); if (aflags & 0xf) ND_PRINT("+%x", aflags & 0xf); ND_PRINT("]: "); } if (len < alen) { ND_PRINT(" [path attrs too short]"); p += len; length -= len; break;
+ show +
143
144
145
146
147
148
149
} if (length < alen) goto trunc; if (!bgp_attr_print(ndo, atype, p, alen)) goto trunc; p += alen; len -= alen;
+ show +
150
151
152
153
154
155
156
157
158
159
length -= alen; } } if (length) { add_path = check_add_path(ndo, p, length, 32); ND_PRINT("\n\t Updated routes:"); while (length != 0) { if (add_path) { ND_TCHECK_4(p);
.\cloneFuncs\totalClone\Type-3\CVE-2018-16300_before_6mo_1519920420_bgp_update_print.c
133
134
135
136
137
138
139
140
141
142
aflags & 0x10 ? "E" : ""); if (aflags & 0xf) ND_PRINT("+%x", aflags & 0xf); ND_PRINT("]: "); } if (len < alen) { ND_PRINT(" [path attrs too short]"); p += len; length -= len; break;
+ show +
143
144
145
146
147
148
149
} if (length < alen) goto trunc; if (!bgp_attr_print(ndo, atype, p, alen)) goto trunc; p += alen; len -= alen;
+ show +
150
151
152
153
154
155
156
157
158
159
length -= alen; } } if (length) { add_path = check_add_path(ndo, p, length, 32); ND_PRINT("\n\t Updated routes:"); while (length != 0) { if (add_path) { ND_TCHECK_4(p);

[linux_CVE-2018-16658_1538571269_cdrom_ioctl_select_disc.diff] cdrom_ioctl_select_disc_OLD.c #1
return -ENOSYS; if (arg != CDSL_CURRENT && arg != CDSL_NONE) { - if ((int)arg >= cdi->capacity) + if (arg >= cdi->capacity) return -EINVAL; }
.\cloneFuncs\totalClone\Type-1\CVE-2018-16658_before_1mo_1533066712_cdrom_ioctl_select_disc.c
1
2
3
4
5
6
static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi, unsigned long arg) { cd_dbg(CD_DO_IOCTL, "entering CDROM_SELECT_DISC\n"); if (!CDROM_CAN(CDC_SELECT_DISC))
+ show +
7
8
9
10
11
12
return -ENOSYS; if (arg != CDSL_CURRENT && arg != CDSL_NONE) { if ((int)arg >= cdi->capacity) return -EINVAL; }
+ show +
13
14
15
16
17
18
19
20
21
22
/* * ->select_disc is a hook to allow a driver-specific way of * seleting disc. However, since there is no equivalent hook for * cdrom_slot_status this may not actually be useful... */ if (cdi->ops->select_disc) return cdi->ops->select_disc(cdi, arg); cd_dbg(CD_CHANGER, "Using generic cdrom_select_disc()\n");

[qemu_CVE-2018-16872_1544703911_usb_mtp_get_object.diff] usb_mtp_get_object_OLD.c #1
trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); - d->fd = open(o->path, O_RDONLY); + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); if (d->fd == -1) { usb_mtp_data_free(d); return NULL;
.\cloneFuncs\totalClone\Type-1\CVE-2018-16872_before_1mo_1536358131_usb_mtp_get_object.c
1
2
3
4
5
static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, MTPObject *o) { MTPData *d = usb_mtp_data_alloc(c);
+ show +
6
7
8
9
10
11
trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); d->fd = open(o->path, O_RDONLY); if (d->fd == -1) { usb_mtp_data_free(d); return NULL;
+ show +
12
13
14
15
16
17
} d->length = o->stat.st_size; d->alloc = 512; d->data = g_malloc(d->alloc); return d; }

[qemu_CVE-2018-16872_1544703911_usb_mtp_get_partial_object.diff] usb_mtp_get_partial_object_OLD.c #1
c->argv[1], c->argv[2]); d = usb_mtp_data_alloc(c); - d->fd = open(o->path, O_RDONLY); + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); if (d->fd == -1) { usb_mtp_data_free(d); return NULL;
.\cloneFuncs\totalClone\Type-1\CVE-2018-16872_before_1mo_1536358131_usb_mtp_get_partial_object.c
1
2
3
4
5
6
7
8
9
10
static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, MTPObject *o) { MTPData *d; off_t offset; if (c->argc <= 2) { return NULL; } trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path,
+ show +
11
12
13
14
15
16
17
c->argv[1], c->argv[2]); d = usb_mtp_data_alloc(c); d->fd = open(o->path, O_RDONLY); if (d->fd == -1) { usb_mtp_data_free(d); return NULL;
+ show +
18
19
20
21
22
23
24
25
26
27
} offset = c->argv[1]; if (offset > o->stat.st_size) { offset = o->stat.st_size; } if (lseek(d->fd, offset, SEEK_SET) < 0) { usb_mtp_data_free(d); return NULL; }

[qemu_CVE-2018-16872_1544703911_usb_mtp_object_readdir.diff] usb_mtp_object_readdir_OLD.c #1
{ struct dirent *entry; DIR *dir; + int fd; if (o->have_children) { return; } o->have_children = true; - dir = opendir(o->path); + fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); + if (fd < 0) { + return; + } + dir = fdopendir(fd); if (!dir) { return; }
.\cloneFuncs\totalClone\Type-1\CVE-2018-16872_before_1mo_1536358131_usb_mtp_object_readdir.c
1
static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
+ show +
2
3
4
5
6
7
8
9
10
11
12
13
14
{ struct dirent *entry; DIR *dir; if (o->have_children) { return; } o->have_children = true; dir = opendir(o->path); if (!dir) { return; }
+ show +
15
16
17
18
19
20
21
22
23
24
#ifdef CONFIG_INOTIFY1 int watchfd = usb_mtp_add_watch(s->inotifyfd, o->path); if (watchfd == -1) { fprintf(stderr, "usb-mtp: failed to add watch for %s\n", o->path); } else { trace_usb_mtp_inotify_event(s->dev.addr, o->path, 0, "Watch Added"); o->watchfd = watchfd; } #endif

[qemu_CVE-2018-17963_1543895623_qemu_sendv_packet_async.diff] qemu_sendv_packet_async_OLD.c #1
NetPacketSent *sent_cb) { NetQueue *queue; + size_t size = iov_size(iov, iovcnt); int ret; + if (size > NET_BUFSIZE) { + return size; + } + if (sender->link_down || !sender->peer) { - return iov_size(iov, iovcnt); + return size; } /* Let filters handle the packet first */
.\cloneFuncs\totalClone\Type-1\CVE-2018-17963_before_1mo_1535949536_qemu_sendv_packet_async.c
1
2
ssize_t qemu_sendv_packet_async(NetClientState *sender, const struct iovec *iov, int iovcnt,
+ show +
3
4
5
6
7
8
9
10
11
12
NetPacketSent *sent_cb) { NetQueue *queue; int ret; if (sender->link_down || !sender->peer) { return iov_size(iov, iovcnt); } /* Let filters handle the packet first */
+ show +
13
14
15
16
17
18
19
20
21
22
ret = filter_receive_iov(sender, NET_FILTER_DIRECTION_TX, sender, QEMU_NET_PACKET_FLAG_NONE, iov, iovcnt, sent_cb); if (ret) { return ret; } ret = filter_receive_iov(sender->peer, NET_FILTER_DIRECTION_RX, sender, QEMU_NET_PACKET_FLAG_NONE, iov, iovcnt, sent_cb); if (ret) { return ret;

[qemu_CVE-2018-19364_1542715235_v9fs_create.diff] v9fs_create_OLD.c #1
V9fsString extension; int iounit; V9fsPDU *pdu = opaque; + V9fsState *s = pdu->s; v9fs_path_init(&path); v9fs_string_init(&name);
.\cloneFuncs\totalClone\Type-1\CVE-2018-19364_before_1mo_1528366642_v9fs_create.c
3
4
5
6
7
8
9
10
11
12
int32_t fid; int err = 0; size_t offset = 7; V9fsFidState *fidp; V9fsQID qid; int32_t perm; int8_t mode; V9fsPath path; struct stat stbuf; V9fsString name;
+ show +
13
14
15
16
17
18
V9fsString extension; int iounit; V9fsPDU *pdu = opaque; v9fs_path_init(&path); v9fs_string_init(&name);
+ show +
19
20
21
22
23
24
25
26
27
28
v9fs_string_init(&extension); err = pdu_unmarshal(pdu, offset, "dsdbs", &fid, &name, &perm, &mode, &extension); if (err < 0) { goto out_nofid; } trace_v9fs_create(pdu->tag, pdu->id, fid, name.data, perm, mode); if (name_is_illegal(name.data)) { err = -ENOENT;

[qemu_CVE-2018-19364_1542715235_v9fs_create.diff] v9fs_create_OLD.c #2
if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); err = v9fs_co_opendir(pdu, fidp); if (err < 0) { goto out;
.\cloneFuncs\totalClone\Type-1\CVE-2018-19364_before_1mo_1528366642_v9fs_create.c
43
44
45
46
47
48
49
50
51
52
err = -EINVAL; goto out; } if (perm & P9_STAT_MODE_DIR) { err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777, fidp->uid, -1, &stbuf); if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path);
+ show +
53
54
55
56
57
58
59
if (err < 0) { goto out; } v9fs_path_copy(&fidp->path, &path); err = v9fs_co_opendir(pdu, fidp); if (err < 0) { goto out;
+ show +
60
61
62
63
64
65
66
67
68
69
} fidp->fid_type = P9_FID_DIR; } else if (perm & P9_STAT_MODE_SYMLINK) { err = v9fs_co_symlink(pdu, fidp, &name, extension.data, -1 , &stbuf); if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path); if (err < 0) {

[qemu_CVE-2018-19364_1542715235_v9fs_create.diff] v9fs_create_OLD.c #3
if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_LINK) { int32_t ofid = atoi(extension.data); V9fsFidState *ofidp = get_fid(pdu, ofid);
.\cloneFuncs\totalClone\Type-1\CVE-2018-19364_before_1mo_1528366642_v9fs_create.c
59
60
61
62
63
64
65
66
67
68
goto out; } fidp->fid_type = P9_FID_DIR; } else if (perm & P9_STAT_MODE_SYMLINK) { err = v9fs_co_symlink(pdu, fidp, &name, extension.data, -1 , &stbuf); if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path);
+ show +
69
70
71
72
73
74
75
if (err < 0) { goto out; } v9fs_path_copy(&fidp->path, &path); } else if (perm & P9_STAT_MODE_LINK) { int32_t ofid = atoi(extension.data); V9fsFidState *ofidp = get_fid(pdu, ofid);
+ show +
76
77
78
79
80
81
82
83
84
85
if (ofidp == NULL) { err = -EINVAL; goto out; } err = v9fs_co_link(pdu, ofidp, fidp, &name); put_fid(pdu, ofidp); if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path);

[qemu_CVE-2018-19364_1542715235_v9fs_create.diff] v9fs_create_OLD.c #4
fidp->fid_type = P9_FID_NONE; goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); if (err < 0) { fidp->fid_type = P9_FID_NONE;
.\cloneFuncs\totalClone\Type-1\CVE-2018-19364_before_1mo_1528366642_v9fs_create.c
77
78
79
80
81
82
83
84
85
86
err = -EINVAL; goto out; } err = v9fs_co_link(pdu, ofidp, fidp, &name); put_fid(pdu, ofidp); if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path); if (err < 0) {
+ show +
87
88
89
90
91
92
93
fidp->fid_type = P9_FID_NONE; goto out; } v9fs_path_copy(&fidp->path, &path); err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); if (err < 0) { fidp->fid_type = P9_FID_NONE;
+ show +
94
95
96
97
98
99
100
101
102
103
goto out; } } else if (perm & P9_STAT_MODE_DEVICE) { char ctype; uint32_t major, minor; mode_t nmode = 0; if (sscanf(extension.data, "%c %u %u", &ctype, &major, &minor) != 3) { err = -errno; goto out;

[qemu_CVE-2018-19364_1542715235_v9fs_create.diff] v9fs_create_OLD.c #5
if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_NAMED_PIPE) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFIFO | (perm & 0777), &stbuf);
.\cloneFuncs\totalClone\Type-1\CVE-2018-19364_before_1mo_1528366642_v9fs_create.c
115
116
117
118
119
120
121
122
123
124
goto out; } nmode |= perm & 0777; err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, makedev(major, minor), nmode, &stbuf); if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path);
+ show +
125
126
127
128
129
130
131
if (err < 0) { goto out; } v9fs_path_copy(&fidp->path, &path); } else if (perm & P9_STAT_MODE_NAMED_PIPE) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFIFO | (perm & 0777), &stbuf);
+ show +
132
133
134
135
136
137
138
139
140
141
if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path); if (err < 0) { goto out; } v9fs_path_copy(&fidp->path, &path); } else if (perm & P9_STAT_MODE_SOCKET) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,

[qemu_CVE-2018-19364_1542715235_v9fs_create.diff] v9fs_create_OLD.c #6
if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_SOCKET) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFSOCK | (perm & 0777), &stbuf);
.\cloneFuncs\totalClone\Type-1\CVE-2018-19364_before_1mo_1528366642_v9fs_create.c
126
127
128
129
130
131
132
133
134
135
goto out; } v9fs_path_copy(&fidp->path, &path); } else if (perm & P9_STAT_MODE_NAMED_PIPE) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFIFO | (perm & 0777), &stbuf); if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path);
+ show +
136
137
138
139
140
141
142
if (err < 0) { goto out; } v9fs_path_copy(&fidp->path, &path); } else if (perm & P9_STAT_MODE_SOCKET) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFSOCK | (perm & 0777), &stbuf);
+ show +
143
144
145
146
147
148
149
150
151
152
if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path); if (err < 0) { goto out; } v9fs_path_copy(&fidp->path, &path); } else { err = v9fs_co_open2(pdu, fidp, &name, -1,

[qemu_CVE-2018-19364_1542715235_v9fs_create.diff] v9fs_create_OLD.c #7
if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else { err = v9fs_co_open2(pdu, fidp, &name, -1, omode_to_uflags(mode)|O_CREAT, perm, &stbuf);
.\cloneFuncs\totalClone\Type-1\CVE-2018-19364_before_1mo_1528366642_v9fs_create.c
137
138
139
140
141
142
143
144
145
146
goto out; } v9fs_path_copy(&fidp->path, &path); } else if (perm & P9_STAT_MODE_SOCKET) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFSOCK | (perm & 0777), &stbuf); if (err < 0) { goto out; } err = v9fs_co_name_to_path(pdu, &fidp->path, name.data, &path);
+ show +
147
148
149
150
151
152
153
if (err < 0) { goto out; } v9fs_path_copy(&fidp->path, &path); } else { err = v9fs_co_open2(pdu, fidp, &name, -1, omode_to_uflags(mode)|O_CREAT, perm, &stbuf);
+ show +
154
155
156
157
158
159
160
161
162
163
if (err < 0) { goto out; } fidp->fid_type = P9_FID_FILE; fidp->open_flags = omode_to_uflags(mode); if (fidp->open_flags & O_EXCL) { /* * We let the host file system do O_EXCL check * We should not reclaim such fd */

[qemu_CVE-2018-19364_1542715235_v9fs_walk.diff] v9fs_walk_OLD.c #1
err = -EINVAL; goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else { newfidp = alloc_fid(s, newfid); if (newfidp == NULL) {
.\cloneFuncs\totalClone\Type-1\CVE-2018-19364_before_1mo_1528366642_v9fs_walk.c
75
76
77
78
79
80
81
82
83
84
if (err < 0) { goto out; } stat_to_qid(&stbuf, &qid); v9fs_path_copy(&dpath, &path); } memcpy(&qids[name_idx], &qid, sizeof(qid)); } if (fid == newfid) { if (fidp->fid_type != P9_FID_NONE) {
+ show +
85
86
87
88
89
90
91
err = -EINVAL; goto out; } v9fs_path_copy(&fidp->path, &path); } else { newfidp = alloc_fid(s, newfid); if (newfidp == NULL) {
+ show +
92
93
94
95
96
97
98
99
100
101
err = -EINVAL; goto out; } newfidp->uid = fidp->uid; v9fs_path_copy(&newfidp->path, &path); } err = v9fs_walk_marshal(pdu, nwnames, qids); trace_v9fs_walk_return(pdu->tag, pdu->id, nwnames, qids); out: put_fid(pdu, fidp);

[qemu_CVE-2018-19489_1542976083_v9fs_wstat.diff] v9fs_wstat_OLD.c #1
struct stat stbuf; V9fsFidState *fidp; V9fsPDU *pdu = opaque; + V9fsState *s = pdu->s; v9fs_stat_init(&v9stat); err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat);
.\cloneFuncs\totalClone\Type-1\CVE-2018-19489_before_1mo_1528366642_v9fs_wstat.c
1
2
3
4
5
6
7
static void coroutine_fn v9fs_wstat(void *opaque) { int32_t fid; int err = 0; int16_t unused; V9fsStat v9stat; size_t offset = 7;
+ show +
8
9
10
11
12
13
struct stat stbuf; V9fsFidState *fidp; V9fsPDU *pdu = opaque; v9fs_stat_init(&v9stat); err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat);
+ show +
14
15
16
17
18
19
20
21
22
23
if (err < 0) { goto out_nofid; } trace_v9fs_wstat(pdu->tag, pdu->id, fid, v9stat.mode, v9stat.atime, v9stat.mtime); fidp = get_fid(pdu, fid); if (fidp == NULL) { err = -EINVAL; goto out_nofid;

[qemu_CVE-2018-19489_1542976083_v9fs_wstat.diff] v9fs_wstat_OLD.c #2
} } if (v9stat.name.size != 0) { + v9fs_path_write_lock(s); err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); + v9fs_path_unlock(s); if (err < 0) { goto out; }
.\cloneFuncs\totalClone\Type-1\CVE-2018-19489_before_1mo_1528366642_v9fs_wstat.c
63
64
65
66
67
68
69
70
71
72
} err = v9fs_co_utimensat(pdu, &fidp->path, times); if (err < 0) { goto out; } } if (v9stat.n_gid != -1 || v9stat.n_uid != -1) { err = v9fs_co_chown(pdu, &fidp->path, v9stat.n_uid, v9stat.n_gid); if (err < 0) { goto out;
+ show +
73
74
75
76
77
78
79
} } if (v9stat.name.size != 0) { err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); if (err < 0) { goto out; }
+ show +
80
81
82
83
84
85
86
87
88
89
} if (v9stat.length != -1) { err = v9fs_co_truncate(pdu, &fidp->path, v9stat.length); if (err < 0) { goto out; } } err = offset; out: put_fid(pdu, fidp);

[linux_CVE-2018-19985_1544614944_hso_get_config_data.diff] hso_get_config_data_OLD.c #1
return -EIO; } + /* check if we have a valid interface */ + if (if_num > 16) { + kfree(config_data); + return -EINVAL; + } + switch (config_data[if_num]) { case 0x0: result = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2018-19985_before_1mo_1529523078_hso_get_config_data.c
4
5
6
7
8
9
10
11
12
13
u8 *config_data = kmalloc(17, GFP_KERNEL); u32 if_num = interface->cur_altsetting->desc.bInterfaceNumber; s32 result; if (!config_data) return -ENOMEM; if (usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x86, 0xC0, 0, 0, config_data, 17, USB_CTRL_SET_TIMEOUT) != 0x11) { kfree(config_data);
+ show +
14
15
16
17
18
19
return -EIO; } switch (config_data[if_num]) { case 0x0: result = 0;
+ show +
20
21
22
23
24
25
26
27
28
29
break; case 0x1: result = HSO_PORT_DIAG; break; case 0x2: result = HSO_PORT_GPS; break; case 0x3: result = HSO_PORT_GPS_CONTROL; break;

[linux_CVE-2018-19985_1544614944_hso_probe.diff] hso_probe_OLD.c #1
/* Get the interface/port specification from either driver_info or from * the device itself */ - if (id->driver_info) + if (id->driver_info) { + /* if_num is controlled by the device, driver_info is a 0 terminated + * array. Make sure, the access is in bounds! */ + for (i = 0; i <= if_num; ++i) + if (((u32 *)(id->driver_info))[i] == 0) + goto exit; port_spec = ((u32 *)(id->driver_info))[if_num]; - else + } else { port_spec = hso_get_config_data(interface); + if (port_spec < 0) + goto exit; + } /* Check if we need to switch to alt interfaces prior to port * configuration */
.\cloneFuncs\totalClone\Type-1\CVE-2018-19985_before_1mo_1529523078_hso_probe.c
7
8
9
10
11
12
13
14
15
16
struct hso_shared_int *shared_int; struct hso_device *tmp_dev = NULL; if (interface->cur_altsetting->desc.bInterfaceClass != 0xFF) { dev_err(&interface->dev, "Not our interface\n"); return -ENODEV; } if_num = interface->cur_altsetting->desc.bInterfaceNumber;
+ show +
17
18
19
20
21
22
23
24
25
/* Get the interface/port specification from either driver_info or from * the device itself */ if (id->driver_info) port_spec = ((u32 *)(id->driver_info))[if_num]; else port_spec = hso_get_config_data(interface); /* Check if we need to switch to alt interfaces prior to port * configuration */
+ show +
26
27
28
29
30
31
32
33
34
35
if (interface->num_altsetting > 1) usb_set_interface(interface_to_usbdev(interface), if_num, 1); interface->needs_remote_wakeup = 1; /* Allocate new hso device(s) */ switch (port_spec & HSO_INTF_MASK) { case HSO_INTF_MUX: if ((port_spec & HSO_PORT_MASK) == HSO_PORT_NETWORK) { /* Create the network device */ if (!disable_net) {

[linux_CVE-2018-3620_1530527370_vmx_init.diff] vmx_init_OLD.c #1
} #endif + vmx_setup_l1d_flush(); + r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx), __alignof__(struct vcpu_vmx), THIS_MODULE); if (r)
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_1mo_1526384257_vmx_init.c
21
22
23
24
25
26
27
28
29
30
break; } } if (enlightened_vmcs) { pr_info("KVM: vmx: using Hyper-V Enlightened VMCS\n"); static_branch_enable(&enable_evmcs); } } else { enlightened_vmcs = false;
+ show +
31
32
33
34
35
36
} #endif r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx), __alignof__(struct vcpu_vmx), THIS_MODULE); if (r)
+ show +
37
38
39
40
41
42
43
44
45
46
return r; #ifdef CONFIG_KEXEC_CORE rcu_assign_pointer(crash_vmclear_loaded_vmcss, crash_vmclear_local_loaded_vmcss); #endif vmx_check_vmcs12_offsets(); return 0; }
.\cloneFuncs\totalClone\Type-3\CVE-2018-3620_after_1mo_1532204216_vmx_init.c
21
22
23
24
25
26
27
28
29
30
break; } } if (enlightened_vmcs) { pr_info("KVM: vmx: using Hyper-V Enlightened VMCS\n"); static_branch_enable(&enable_evmcs); } } else { enlightened_vmcs = false;
+ show +
31
32
33
34
35
36
} #endif r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx), __alignof__(struct vcpu_vmx), THIS_MODULE); if (r)
+ show +
37
38
39
40
41
42
43
44
45
46
return r; /* * Must be called after kvm_init() so enable_ept is properly set * up. Hand the parameter mitigation value in which was stored in * the pre module init parser. If no parameter was given, it will * contain 'auto' which will be turned into the default 'cond' * mitigation mode. */ if (boot_cpu_has(X86_BUG_L1TF)) {

[xen_CVE-2018-3620_1527615856_init_speculation_mitigations.diff] init_speculation_mitigations_OLD.c #1
opt_pv_l1tf = OPT_PV_L1TF_DOMU; } + /* + * By default, enable L1D_FLUSH on L1TF-vulnerable hardware, unless + * instructed to skip the flush on vmentry by our outer hypervisor. + */ + if ( !boot_cpu_has(X86_FEATURE_L1D_FLUSH) ) + opt_l1d_flush = 0; + else if ( opt_l1d_flush == -1 ) + opt_l1d_flush = cpu_has_bug_l1tf && !(caps & ARCH_CAPS_SKIP_L1DFL); + + /* + * We do not disable HT by default on affected hardware. + * + * Firstly, if the user intends to use exclusively PV, or HVM shadow + * guests, HT isn't a concern and should remain fully enabled. Secondly, + * safety for HVM HAP guests can be arranged by the toolstack with core + * parking, pinning or cpupool configurations, including mixed setups. + * + * However, if we are on affected hardware, with HT enabled, and the user + * hasn't explicitly chosen whether to use HT or not, nag them to do so. + */ + if ( opt_smt == -1 && cpu_has_bug_l1tf && !pv_shim && + boot_cpu_data.x86_num_siblings > 1 ) + warning_add( + "Booted on L1TF-vulnerable hardware with SMT/Hyperthreading\n" + "enabled. Please assess your configuration and choose an\n" + "explicit 'smt=<bool>' setting. See XSA-273.\n"); + print_details(thunk, caps); /*
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_imd_1522246899_init_speculation_mitigations.c
156
157
158
159
160
161
162
163
164
165
* hardware, except when running in shim mode. * * In shim mode, SHADOW is expected to be compiled out, and a malicious * guest kernel can only attack the shim Xen, not the host Xen. */ if ( opt_pv_l1tf == -1 ) { if ( pv_shim || !cpu_has_bug_l1tf ) opt_pv_l1tf = 0; else
+ show +
166
167
168
169
170
171
opt_pv_l1tf = OPT_PV_L1TF_DOMU; } print_details(thunk, caps); /*
+ show +
172
173
174
175
176
177
178
179
180
181
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard * any firmware settings. For performance reasons, when safe to do so, we * delay applying non-zero settings until after dom0 has been constructed. * * "when safe to do so" is based on whether we are virtualised. A native * boot won't have any other code running in a position to mount an * attack. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) {

[xen_CVE-2018-3620_1527615856_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #1
opt_ibrs = 0; opt_ibpb = false; opt_ssbd = false; + opt_l1d_flush = 0; } else if ( val > 0 ) rc = -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_imd_1522246899_parse_spec_ctrl.c
15
16
17
18
19
20
21
22
23
24
opt_msr_sc_pv = false; opt_msr_sc_hvm = false; opt_eager_fpu = 0; disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; opt_thunk = THUNK_JMP;
+ show +
25
26
27
28
29
30
opt_ibrs = 0; opt_ibpb = false; opt_ssbd = false; } else if ( val > 0 ) rc = -EINVAL;
+ show +
31
32
33
34
35
36
37
38
39
40
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )

[xen_CVE-2018-3620_1527615856_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #2
opt_ssbd = val; else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) opt_eager_fpu = val; + else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) + opt_l1d_flush = val; else rc = -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_imd_1522246899_parse_spec_ctrl.c
70
71
72
73
74
75
76
77
78
79
else if ( !strncmp(s, "jmp", ss - s) ) opt_thunk = THUNK_JMP; else rc = -EINVAL; } else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) opt_ibrs = val; else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) opt_ibpb = val; else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 )
+ show +
80
81
82
83
84
opt_ssbd = val; else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) opt_eager_fpu = val; else rc = -EINVAL;
+ show +
85
86
87
88
89
90
s = ss + 1; } while ( *ss ); return rc; }
.\cloneFuncs\totalClone\Type-3\CVE-2018-12126_before_6mo_1528387237_parse_spec_ctrl.c
68
69
70
71
72
73
74
75
76
77
else if ( !strncmp(s, "jmp", ss - s) ) opt_thunk = THUNK_JMP; else rc = -EINVAL; } else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) opt_ibrs = val; else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) opt_ibpb = val; else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 )
+ show +
78
79
80
81
82
opt_ssbd = val; else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) opt_eager_fpu = val; else rc = -EINVAL;
+ show +
83
84
85
86
87
88
s = ss + 1; } while ( *ss ); return rc; }

[xen_CVE-2018-3620_1527615856_print_details.diff] print_details_OLD.c #1
"\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_imd_1522246899_print_details.c
25
26
27
28
29
30
31
32
33
34
/* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif
+ show +
35
36
37
38
39
40
41
"\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
+ show +
42
43
44
45
46
47
48
49
50
51
thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf ) printk(" L1TF: believed%s vulnerable, maxphysaddr L1D %u, CPUID %u"

[xen_CVE-2018-3620_1527615856_print_details.diff] print_details_OLD.c #2
(default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", - opt_ibpb ? " IBPB" : ""); + opt_ibpb ? " IBPB" : "", + opt_l1d_flush ? " L1D_FLUSH" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf )
.\cloneFuncs\totalClone\Type-1\CVE-2018-3620_before_imd_1522246899_print_details.c
34
35
36
37
38
39
40
41
42
43
#endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" :
+ show +
44
45
46
47
48
49
50
(default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf )
+ show +
51
52
53
54
55
56
57
58
59
60
printk(" L1TF: believed%s vulnerable, maxphysaddr L1D %u, CPUID %u" ", Safe address %"PRIx64"\n", cpu_has_bug_l1tf ? "" : " not", l1d_maxphysaddr, paddr_bits, l1tf_safe_maddr); /* * Alternatives blocks for protecting against and/or virtualising * mitigation support for guests. */ printk(" Support for VMs: PV:%s%s%s%s, HVM:%s%s%s%s\n",

[qemu_CVE-2018-3639_1526939664_kvm_get_msrs.diff] kvm_get_msrs_OLD.c #1
if (has_msr_spec_ctrl) { kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); } - - + if (has_msr_virt_ssbd) { + kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, 0); + } if (!env->tsc_valid) { kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0); env->tsc_valid = !runstate_is_running();
.\cloneFuncs\totalClone\Type-1\CVE-2018-3639_before_imd_1523447436_kvm_get_msrs.c
37
38
39
40
41
42
43
44
45
46
} if (has_msr_feature_control) { kvm_msr_entry_add(cpu, MSR_IA32_FEATURE_CONTROL, 0); } if (has_msr_bndcfgs) { kvm_msr_entry_add(cpu, MSR_IA32_BNDCFGS, 0); } if (has_msr_xss) { kvm_msr_entry_add(cpu, MSR_IA32_XSS, 0); }
+ show +
47
48
49
50
51
52
53
54
if (has_msr_spec_ctrl) { kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); } if (!env->tsc_valid) { kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0); env->tsc_valid = !runstate_is_running();
+ show +
55
56
57
58
59
60
61
62
63
64
} #ifdef TARGET_X86_64 if (lm_capable_kernel) { kvm_msr_entry_add(cpu, MSR_CSTAR, 0); kvm_msr_entry_add(cpu, MSR_KERNELGSBASE, 0); kvm_msr_entry_add(cpu, MSR_FMASK, 0); kvm_msr_entry_add(cpu, MSR_LSTAR, 0); } #endif
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_before_1mo_1522429329_kvm_get_msrs.c
37
38
39
40
41
42
43
44
45
46
} if (has_msr_feature_control) { kvm_msr_entry_add(cpu, MSR_IA32_FEATURE_CONTROL, 0); } if (has_msr_bndcfgs) { kvm_msr_entry_add(cpu, MSR_IA32_BNDCFGS, 0); } if (has_msr_xss) { kvm_msr_entry_add(cpu, MSR_IA32_XSS, 0); }
+ show +
47
48
49
50
51
52
53
54
if (has_msr_spec_ctrl) { kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); } if (!env->tsc_valid) { kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0); env->tsc_valid = !runstate_is_running();
+ show +
55
56
57
58
59
60
61
62
63
64
} #ifdef TARGET_X86_64 if (lm_capable_kernel) { kvm_msr_entry_add(cpu, MSR_CSTAR, 0); kvm_msr_entry_add(cpu, MSR_KERNELGSBASE, 0); kvm_msr_entry_add(cpu, MSR_FMASK, 0); kvm_msr_entry_add(cpu, MSR_LSTAR, 0); } #endif

[qemu_CVE-2018-3639_1526939664_kvm_get_msrs.diff] kvm_get_msrs_OLD.c #2
case MSR_IA32_SPEC_CTRL: env->spec_ctrl = msrs[i].data; break; + case MSR_VIRT_SSBD: + env->virt_ssbd = msrs[i].data; + break; case MSR_IA32_RTIT_CTL: env->msr_rtit_ctrl = msrs[i].data; break;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3639_before_imd_1523447436_kvm_get_msrs.c
418
419
420
421
422
423
424
425
426
427
env->mtrr_fixed[10] = msrs[i].data; break; case MSR_MTRRphysBase(0) ... MSR_MTRRphysMask(MSR_MTRRcap_VCNT - 1): if (index & 1) { env->mtrr_var[MSR_MTRRphysIndex(index)].mask = msrs[i].data | mtrr_top_bits; } else { env->mtrr_var[MSR_MTRRphysIndex(index)].base = msrs[i].data; } break;
+ show +
428
429
430
431
432
433
case MSR_IA32_SPEC_CTRL: env->spec_ctrl = msrs[i].data; break; case MSR_IA32_RTIT_CTL: env->msr_rtit_ctrl = msrs[i].data; break;
+ show +
434
435
436
437
438
439
440
441
442
443
case MSR_IA32_RTIT_STATUS: env->msr_rtit_status = msrs[i].data; break; case MSR_IA32_RTIT_OUTPUT_BASE: env->msr_rtit_output_base = msrs[i].data; break; case MSR_IA32_RTIT_OUTPUT_MASK: env->msr_rtit_output_mask = msrs[i].data; break; case MSR_IA32_RTIT_CR3_MATCH:
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_before_1mo_1522429329_kvm_get_msrs.c
404
405
406
407
408
409
410
411
412
413
env->mtrr_fixed[10] = msrs[i].data; break; case MSR_MTRRphysBase(0) ... MSR_MTRRphysMask(MSR_MTRRcap_VCNT - 1): if (index & 1) { env->mtrr_var[MSR_MTRRphysIndex(index)].mask = msrs[i].data | mtrr_top_bits; } else { env->mtrr_var[MSR_MTRRphysIndex(index)].base = msrs[i].data; } break;
+ show +
414
415
416
417
418
419
case MSR_IA32_SPEC_CTRL: env->spec_ctrl = msrs[i].data; break; case MSR_IA32_RTIT_CTL: env->msr_rtit_ctrl = msrs[i].data; break;
+ show +
420
421
422
423
424
425
426
427
428
429
case MSR_IA32_RTIT_STATUS: env->msr_rtit_status = msrs[i].data; break; case MSR_IA32_RTIT_OUTPUT_BASE: env->msr_rtit_output_base = msrs[i].data; break; case MSR_IA32_RTIT_OUTPUT_MASK: env->msr_rtit_output_mask = msrs[i].data; break; case MSR_IA32_RTIT_CR3_MATCH:

[qemu_CVE-2018-3639_1526939664_kvm_get_supported_msrs.diff] kvm_get_supported_msrs_OLD.c #1
case MSR_IA32_SPEC_CTRL: has_msr_spec_ctrl = true; break; + case MSR_VIRT_SSBD: + has_msr_virt_ssbd = true; + break; } } }
.\cloneFuncs\totalClone\Type-1\CVE-2018-3639_before_imd_1523447436_kvm_get_supported_msrs.c
76
77
78
79
80
81
82
83
84
85
break; case HV_X64_MSR_STIMER0_CONFIG: has_msr_hv_stimer = true; break; case HV_X64_MSR_TSC_FREQUENCY: has_msr_hv_frequencies = true; break; case HV_X64_MSR_REENLIGHTENMENT_CONTROL: has_msr_hv_reenlightenment = true; break;
+ show +
86
87
88
89
90
91
case MSR_IA32_SPEC_CTRL: has_msr_spec_ctrl = true; break; } } }
+ show +
92
93
94
95
96
97
g_free(kvm_msr_list); } return ret; }
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_before_1mo_1522429329_kvm_get_supported_msrs.c
73
74
75
76
77
78
79
80
81
82
break; case HV_X64_MSR_SCONTROL: has_msr_hv_synic = true; break; case HV_X64_MSR_STIMER0_CONFIG: has_msr_hv_stimer = true; break; case HV_X64_MSR_TSC_FREQUENCY: has_msr_hv_frequencies = true; break;
+ show +
83
84
85
86
87
88
case MSR_IA32_SPEC_CTRL: has_msr_spec_ctrl = true; break; } } }
+ show +
89
90
91
92
93
94
g_free(kvm_msr_list); } return ret; }

[qemu_CVE-2018-3639_1526939664_kvm_put_msrs.diff] kvm_put_msrs_OLD.c #1
if (has_msr_spec_ctrl) { kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); } + if (has_msr_virt_ssbd) { + kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, env->virt_ssbd); + } + #ifdef TARGET_X86_64 if (lm_capable_kernel) { kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar);
.\cloneFuncs\totalClone\Type-1\CVE-2018-3639_before_imd_1523447436_kvm_put_msrs.c
31
32
33
34
35
36
37
38
39
40
} if (has_msr_smi_count) { kvm_msr_entry_add(cpu, MSR_SMI_COUNT, env->msr_smi_count); } if (has_msr_bndcfgs) { kvm_msr_entry_add(cpu, MSR_IA32_BNDCFGS, env->msr_bndcfgs); } if (has_msr_xss) { kvm_msr_entry_add(cpu, MSR_IA32_XSS, env->xss); }
+ show +
41
42
43
44
45
46
if (has_msr_spec_ctrl) { kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); } #ifdef TARGET_X86_64 if (lm_capable_kernel) { kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar);
+ show +
47
48
49
50
51
52
53
54
55
56
kvm_msr_entry_add(cpu, MSR_KERNELGSBASE, env->kernelgsbase); kvm_msr_entry_add(cpu, MSR_FMASK, env->fmask); kvm_msr_entry_add(cpu, MSR_LSTAR, env->lstar); } #endif /* * The following MSRs have side effects on the guest or are too heavy * for normal writeback. Limit them to reset or full state updates. */
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_before_1mo_1522429329_kvm_put_msrs.c
31
32
33
34
35
36
37
38
39
40
} if (has_msr_smi_count) { kvm_msr_entry_add(cpu, MSR_SMI_COUNT, env->msr_smi_count); } if (has_msr_bndcfgs) { kvm_msr_entry_add(cpu, MSR_IA32_BNDCFGS, env->msr_bndcfgs); } if (has_msr_xss) { kvm_msr_entry_add(cpu, MSR_IA32_XSS, env->xss); }
+ show +
41
42
43
44
45
46
if (has_msr_spec_ctrl) { kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); } #ifdef TARGET_X86_64 if (lm_capable_kernel) { kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar);
+ show +
47
48
49
50
51
52
53
54
55
56
kvm_msr_entry_add(cpu, MSR_KERNELGSBASE, env->kernelgsbase); kvm_msr_entry_add(cpu, MSR_FMASK, env->fmask); kvm_msr_entry_add(cpu, MSR_LSTAR, env->lstar); } #endif /* * The following MSRs have side effects on the guest or are too heavy * for normal writeback. Limit them to reset or full state updates. */

[xen_CVE-2018-3646_1523633641_guest_rdmsr.diff] guest_rdmsr_OLD.c #1
case MSR_AMD_PATCHLOADER: case MSR_IA32_UCODE_WRITE: case MSR_PRED_CMD: + case MSR_FLUSH_CMD: /* Write-only */ goto gp_fault;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3646_before_imd_1530804339_guest_rdmsr.c
1
2
3
4
5
6
7
8
int guest_rdmsr(const struct vcpu *v, uint32_t msr, uint64_t *val) { const struct cpuid_policy *cp = v->domain->arch.cpuid; const struct msr_policy *mp = v->domain->arch.msr; const struct vcpu_msrs *msrs = v->arch.msrs; switch ( msr ) {
+ show +
9
10
11
12
13
case MSR_AMD_PATCHLOADER: case MSR_IA32_UCODE_WRITE: case MSR_PRED_CMD: /* Write-only */ goto gp_fault;
+ show +
14
15
16
17
18
19
20
21
22
23
case MSR_SPEC_CTRL: if ( !cp->feat.ibrsb ) goto gp_fault; *val = msrs->spec_ctrl.raw; break; case MSR_INTEL_PLATFORM_INFO: *val = mp->plaform_info.raw; break;

[xen_CVE-2018-3646_1523633641_guest_wrmsr.diff] guest_wrmsr_OLD.c #1
wrmsrl(MSR_PRED_CMD, val); break; + case MSR_FLUSH_CMD: + if ( !cp->feat.l1d_flush ) + goto gp_fault; /* MSR available? */ + + if ( val & ~FLUSH_CMD_L1D ) + goto gp_fault; /* Rsvd bit set? */ + + if ( v == curr ) + wrmsrl(MSR_FLUSH_CMD, val); + break; + case MSR_INTEL_MISC_FEATURES_ENABLES: { bool old_cpuid_faulting = msrs->misc_features_enables.cpuid_faulting;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3646_before_imd_1530804339_guest_wrmsr.c
55
56
57
58
59
60
61
62
63
64
break; case MSR_PRED_CMD: if ( !cp->feat.ibrsb && !cp->extd.ibpb ) goto gp_fault; /* MSR available? */ if ( val & ~PRED_CMD_IBPB ) goto gp_fault; /* Rsvd bit set? */ if ( v == curr )
+ show +
65
66
67
68
69
70
wrmsrl(MSR_PRED_CMD, val); break; case MSR_INTEL_MISC_FEATURES_ENABLES: { bool old_cpuid_faulting = msrs->misc_features_enables.cpuid_faulting;
+ show +
71
72
73
74
75
76
77
78
79
80
rsvd = ~0ull; if ( mp->plaform_info.cpuid_faulting ) rsvd &= ~MSR_MISC_FEATURES_CPUID_FAULTING; if ( val & rsvd ) goto gp_fault; msrs->misc_features_enables.raw = val;

[xen_CVE-2018-3665_1528387237_init_speculation_mitigations.diff] init_speculation_mitigations_OLD.c #1
if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) opt_ibpb = false; + /* Check whether Eager FPU should be enabled by default. */ + if ( opt_eager_fpu == -1 ) + opt_eager_fpu = should_use_eager_fpu(); + /* (Re)init BSP state now that default_spec_ctrl_flags has been calculated. */ init_shadow_spec_ctrl_state();
.\cloneFuncs\totalClone\Type-1\CVE-2018-3665_before_imd_1527590332_init_speculation_mitigations.c
120
121
122
123
124
125
126
127
128
129
} /* * HVM guests can always poison the RSB to point at Xen supervisor * mappings. */ if ( opt_rsb_hvm ) setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); /* Check we have hardware IBPB support before using it... */
+ show +
130
131
132
133
134
if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) opt_ibpb = false; /* (Re)init BSP state now that default_spec_ctrl_flags has been calculated. */ init_shadow_spec_ctrl_state();
+ show +
135
136
137
138
139
140
141
142
143
144
/* If Xen is using any MSR_SPEC_CTRL settings, adjust the idle path. */ if ( default_xen_spec_ctrl ) setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE); xpti_init_default(false); if ( opt_xpti == 0 ) setup_force_cpu_cap(X86_FEATURE_NO_XPTI); else setup_clear_cpu_cap(X86_FEATURE_NO_XPTI);

[xen_CVE-2018-3665_1528387237_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #1
opt_thunk = THUNK_JMP; opt_ibrs = 0; opt_ibpb = false; + opt_eager_fpu = 0; } else if ( val > 0 ) rc = -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3665_before_imd_1527590332_parse_spec_ctrl.c
12
13
14
15
16
17
18
19
20
21
val = parse_bool(s, ss); if ( !val ) { opt_msr_sc_pv = false; opt_msr_sc_hvm = false; disable_common: opt_rsb_pv = false; opt_rsb_hvm = false;
+ show +
22
23
24
25
26
27
opt_thunk = THUNK_JMP; opt_ibrs = 0; opt_ibpb = false; } else if ( val > 0 ) rc = -EINVAL;
+ show +
28
29
30
31
32
33
34
35
36
37
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )

[xen_CVE-2018-3665_1528387237_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #2
opt_ibpb = val; else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) opt_ssbd = val; + else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) + opt_eager_fpu = val; else rc = -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2018-3665_before_imd_1527590332_parse_spec_ctrl.c
65
66
67
68
69
70
71
72
73
74
else if ( !strncmp(s, "lfence", ss - s) ) opt_thunk = THUNK_LFENCE; else if ( !strncmp(s, "jmp", ss - s) ) opt_thunk = THUNK_JMP; else rc = -EINVAL; } else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) opt_ibrs = val; else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 )
+ show +
75
76
77
78
79
opt_ibpb = val; else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) opt_ssbd = val; else rc = -EINVAL;
+ show +
80
81
82
83
84
85
s = ss + 1; } while ( *ss ); return rc; }

[linux_CVE-2018-6412_1520427634_sbusfb_ioctl_helper.diff] sbusfb_ioctl_helper_OLD.c #1
unsigned char __user *ured; unsigned char __user *ugreen; unsigned char __user *ublue; - int index, count, i; + unsigned int index, count, i; if (get_user(index, &c->index) || __get_user(count, &c->count) ||
.\cloneFuncs\totalClone\Type-1\CVE-2018-6412_before_1mo_1392298298_sbusfb_ioctl_helper.c
13
14
15
16
17
18
19
20
21
22
__put_user(0, &f->fb_cmsize) || __put_user(fb_size, &f->fb_cmsize)) return -EFAULT; return 0; } case FBIOPUTCMAP_SPARC: { struct fbcmap __user *c = (struct fbcmap __user *) arg; struct fb_cmap cmap; u16 red, green, blue; u8 red8, green8, blue8;
+ show +
23
24
25
26
27
28
29
unsigned char __user *ured; unsigned char __user *ugreen; unsigned char __user *ublue; int index, count, i; if (get_user(index, &c->index) || __get_user(count, &c->count) ||
+ show +
30
31
32
33
34
35
36
37
38
39
__get_user(ured, &c->red) || __get_user(ugreen, &c->green) || __get_user(ublue, &c->blue)) return -EFAULT; cmap.len = 1; cmap.red = &red; cmap.green = &green; cmap.blue = &blue; cmap.transp = NULL;

[linux_CVE-2018-6412_1520427634_sbusfb_ioctl_helper.diff] sbusfb_ioctl_helper_OLD.c #2
unsigned char __user *ugreen; unsigned char __user *ublue; struct fb_cmap *cmap = &info->cmap; - int index, count, i; + unsigned int index, count, i; u8 red, green, blue; if (get_user(index, &c->index) ||
.\cloneFuncs\totalClone\Type-1\CVE-2018-6412_before_1mo_1392298298_sbusfb_ioctl_helper.c
52
53
54
55
56
57
58
59
60
61
cmap.start = index + i; err = fb_set_cmap(&cmap, info); if (err) return err; } return 0; } case FBIOGETCMAP_SPARC: { struct fbcmap __user *c = (struct fbcmap __user *) arg; unsigned char __user *ured;
+ show +
62
63
64
65
66
67
68
unsigned char __user *ugreen; unsigned char __user *ublue; struct fb_cmap *cmap = &info->cmap; int index, count, i; u8 red, green, blue; if (get_user(index, &c->index) ||
+ show +
69
70
71
72
73
74
75
76
77
78
__get_user(count, &c->count) || __get_user(ured, &c->red) || __get_user(ugreen, &c->green) || __get_user(ublue, &c->blue)) return -EFAULT; if (index + count > cmap->len) return -EINVAL; for (i = 0; i < count; i++) {

[qemu_CVE-2018-7550_1520606224_vga_draw_graphic.diff] vga_draw_graphic_OLD.c #1
region_start = (s->start_addr * 4); region_end = region_start + (ram_addr_t)s->line_offset * height; + region_end += width * s->get_bpp(s) / 8; /* scanline length */ + region_end -= s->line_offset; if (region_end > s->vbe_size) { /* wraps around (can happen with cirrus vbe modes) */ region_start = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2018-7550_before_imd_1517937853_vga_draw_graphic.c
15
16
17
18
19
20
21
22
23
24
bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s); s->get_resolution(s, &width, &height); disp_width = width;
+ show +
25
26
27
28
29
region_start = (s->start_addr * 4); region_end = region_start + (ram_addr_t)s->line_offset * height; if (region_end > s->vbe_size) { /* wraps around (can happen with cirrus vbe modes) */ region_start = 0;
+ show +
30
31
32
33
34
35
36
37
38
39
region_end = s->vbe_size; force_shadow = true; } shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) { multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13672_after_1mo_1509359310_vga_draw_graphic.c
15
16
17
18
19
20
21
22
23
24
bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s); s->get_resolution(s, &width, &height); disp_width = width;
+ show +
25
26
27
28
29
region_start = (s->start_addr * 4); region_end = region_start + (ram_addr_t)s->line_offset * height; if (region_end > s->vbe_size) { /* wraps around (can happen with cirrus vbe modes) */ region_start = 0;
+ show +
30
31
32
33
34
35
36
37
38
39
region_end = s->vbe_size; force_shadow = true; } shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) { multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else {
.\cloneFuncs\totalClone\Type-2\CVE-2017-13672_after_imd_1507644803_vga_draw_graphic.c
15
16
17
18
19
20
21
22
23
24
bool byteswap = !s->big_endian_fb; #else bool byteswap = s->big_endian_fb; #endif full_update |= update_basic_params(s); s->get_resolution(s, &width, &height); disp_width = width;
+ show +
25
26
27
28
29
region_start = (s->start_addr * 4); region_end = region_start + (ram_addr_t)s->line_offset * height; if (region_end > s->vbe_size) { /* wraps around (can happen with cirrus vbe modes) */ region_start = 0;
+ show +
30
31
32
33
34
35
36
37
38
39
region_end = s->vbe_size; force_shadow = true; } shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); if (shift_control != 1) { multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) - 1; } else {

[linux_CVE-2018-7755_1537456188_fd_locked_ioctl.diff] fd_locked_ioctl_OLD.c #1
(struct floppy_struct **)&outparam); if (ret) return ret; + memcpy(&inparam.g, outparam, + offsetof(struct floppy_struct, name)); + outparam = &inparam.g; break; case FDMSGON: UDP->flags |= FTD_MSG;
.\cloneFuncs\totalClone\Type-1\CVE-2018-7755_before_1mo_1527190739_fd_locked_ioctl.c
69
70
71
72
73
74
75
76
77
78
return -EINTR; current_type[drive] = NULL; floppy_sizes[drive] = MAX_DISK_SIZE << 1; UDRS->keep_data = 0; return invalidate_drive(bdev); case FDSETPRM: case FDDEFPRM: return set_geometry(cmd, &inparam.g, drive, type, bdev); case FDGETPRM: ret = get_floppy_geometry(drive, type,
+ show +
79
80
81
82
83
84
(struct floppy_struct **)&outparam); if (ret) return ret; break; case FDMSGON: UDP->flags |= FTD_MSG;
+ show +
85
86
87
88
89
90
91
92
93
94
return 0; case FDMSGOFF: UDP->flags &= ~FTD_MSG; return 0; case FDFMTBEG: if (lock_fdc(drive)) return -EINTR; if (poll_drive(true, FD_RAW_NEED_DISK) == -EINTR) return -EINTR; ret = UDRS->flags;

[xen_CVE-2020-0543_1578512866_init_speculation_mitigations.diff] init_speculation_mitigations_OLD.c #1
tsx_init(); } + /* Calculate suitable defaults for MSR_MCU_OPT_CTRL */ + if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) + { + uint64_t val; + + rdmsrl(MSR_MCU_OPT_CTRL, val); + + /* + * On some SRBDS-affected hardware, it may be safe to relax srb-lock + * by default. + * + * On parts which enumerate MDS_NO and not TAA_NO, TSX is the only way + * to access the Fill Buffer. If TSX isn't available (inc. SKU + * reasons on some models), or TSX is explicitly disabled, then there + * is no need for the extra overhead to protect RDRAND/RDSEED. + */ + if ( opt_srb_lock == -1 && + (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO && + (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && opt_tsx == 0)) ) + opt_srb_lock = 0; + + val &= ~MCU_OPT_CTRL_RNGDS_MITG_DIS; + if ( !opt_srb_lock ) + val |= MCU_OPT_CTRL_RNGDS_MITG_DIS; + + default_xen_mcu_opt_ctrl = val; + } + print_details(thunk, caps); /*
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_after_1mo_1582195021_init_speculation_mitigations.c
267
268
269
270
271
272
273
274
275
276
* mitigate TAA. */ if ( opt_tsx == -1 && cpu_has_bug_taa && (caps & ARCH_CAPS_TSX_CTRL) && ((hw_smt_enabled && opt_smt) || !boot_cpu_has(X86_FEATURE_SC_VERW_IDLE)) ) { setup_clear_cpu_cap(X86_FEATURE_HLE); setup_clear_cpu_cap(X86_FEATURE_RTM); opt_tsx = 0;
+ show +
277
278
279
280
281
282
tsx_init(); } print_details(thunk, caps); /*
+ show +
283
284
285
286
287
288
289
290
291
292
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard * any firmware settings. For performance reasons, when safe to do so, we * delay applying non-zero settings until after dom0 has been constructed. * * "when safe to do so" is based on whether we are virtualised. A native * boot won't have any other code running in a position to mount an * attack. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) {
.\cloneFuncs\totalClone\Type-1\CVE-2020-0543_before_imd_1578512866_init_speculation_mitigations.c
275
276
277
278
279
280
281
282
283
284
* mitigate TAA. */ if ( opt_tsx == -1 && cpu_has_bug_taa && (caps & ARCH_CAPS_TSX_CTRL) && ((hw_smt_enabled && opt_smt) || !boot_cpu_has(X86_FEATURE_SC_VERW_IDLE)) ) { setup_clear_cpu_cap(X86_FEATURE_HLE); setup_clear_cpu_cap(X86_FEATURE_RTM); opt_tsx = 0;
+ show +
285
286
287
288
289
290
tsx_init(); } print_details(thunk, caps); /*
+ show +
291
292
293
294
295
296
297
298
299
300
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard * any firmware settings. For performance reasons, when safe to do so, we * delay applying non-zero settings until after dom0 has been constructed. * * "when safe to do so" is based on whether we are virtualised. A native * boot won't have any other code running in a position to mount an * attack. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) {

[xen_CVE-2020-0543_1578512866_print_details.diff] print_details_OLD.c #1
"\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_after_1mo_1582195021_print_details.c
29
30
31
32
33
34
35
36
37
38
/* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif
+ show +
39
40
41
42
43
44
45
"\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
+ show +
46
47
48
49
50
51
52
53
54
55
thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", !(caps & ARCH_CAPS_TSX_CTRL) ? "" : (opt_tsx & 1) ? " TSX+" : " TSX-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
.\cloneFuncs\totalClone\Type-1\CVE-2020-0543_before_imd_1578512866_print_details.c
30
31
32
33
34
35
36
37
38
39
/* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" #endif
+ show +
40
41
42
43
44
45
46
"\n"); /* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" :
+ show +
47
48
49
50
51
52
53
54
55
56
thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", !(caps & ARCH_CAPS_TSX_CTRL) ? "" : (opt_tsx & 1) ? " TSX+" : " TSX-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",

[xen_CVE-2020-0543_1578512866_print_details.diff] print_details_OLD.c #2
(default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", !(caps & ARCH_CAPS_TSX_CTRL) ? "" : (opt_tsx & 1) ? " TSX+" : " TSX-", + !boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ? "" : + opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_after_1mo_1582195021_print_details.c
40
41
42
43
44
45
46
47
48
49
/* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" :
+ show +
50
51
52
53
54
55
(default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", !(caps & ARCH_CAPS_TSX_CTRL) ? "" : (opt_tsx & 1) ? " TSX+" : " TSX-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
+ show +
56
57
58
59
60
61
62
63
64
65
opt_branch_harden ? " BRANCH_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) printk(" L1TF: believed%s vulnerable, maxphysaddr L1D %u, CPUID %u" ", Safe address %"PRIx64"\n", cpu_has_bug_l1tf ? "" : " not", l1d_maxphysaddr, paddr_bits, l1tf_safe_maddr); /*
.\cloneFuncs\totalClone\Type-1\CVE-2020-0543_before_imd_1578512866_print_details.c
41
42
43
44
45
46
47
48
49
50
/* Settings for Xen's protection, irrespective of guests. */ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", !boot_cpu_has(X86_FEATURE_SSBD) ? "" :
+ show +
51
52
53
54
55
56
(default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", !(caps & ARCH_CAPS_TSX_CTRL) ? "" : (opt_tsx & 1) ? " TSX+" : " TSX-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
+ show +
57
58
59
60
61
62
63
64
65
66
opt_branch_harden ? " BRANCH_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) printk(" L1TF: believed%s vulnerable, maxphysaddr L1D %u, CPUID %u" ", Safe address %"PRIx64"\n", cpu_has_bug_l1tf ? "" : " not", l1d_maxphysaddr, paddr_bits, l1tf_safe_maddr); /*

[xen_CVE-2020-0543_1578512866_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #2
opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; + else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) + opt_srb_lock = val; else rc = -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_after_imd_1580731470_parse_spec_ctrl.c
102
103
104
105
106
107
108
109
110
111
} else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) opt_ibrs = val; else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) opt_ibpb = val; else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) opt_ssbd = val; else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) opt_eager_fpu = val; else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 )
+ show +
112
113
114
115
116
opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; else rc = -EINVAL;
+ show +
117
118
119
120
121
122
s = ss + 1; } while ( *ss ); return rc; }
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_before_imd_1571129851_parse_spec_ctrl.c
99
100
101
102
103
104
105
106
107
108
} else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) opt_ibrs = val; else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) opt_ibpb = val; else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) opt_ssbd = val; else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) opt_eager_fpu = val; else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 )
+ show +
109
110
111
112
113
opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; else rc = -EINVAL;
+ show +
114
115
116
117
118
119
s = ss + 1; } while ( *ss ); return rc; }
.\cloneFuncs\totalClone\Type-1\CVE-2020-0543_before_imd_1578512866_parse_spec_ctrl.c
101
102
103
104
105
106
107
108
109
110
} else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) opt_ibrs = val; else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) opt_ibpb = val; else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) opt_ssbd = val; else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) opt_eager_fpu = val; else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 )
+ show +
111
112
113
114
115
opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; else rc = -EINVAL;
+ show +
116
117
118
119
120
121
s = ss + 1; } while ( *ss ); return rc; }

[xen_CVE-2019-11135_1560964563_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #1
opt_branch_harden = false; + if ( opt_tsx == -1 ) + opt_tsx = -3; + disable_common: opt_rsb_pv = false; opt_rsb_hvm = false;
.\cloneFuncs\totalClone\Type-1\CVE-2019-11135_before_imd_1571129851_parse_spec_ctrl.c
23
24
25
26
27
28
29
30
31
32
opt_xpti_domu = 0; if ( opt_smt < 0 ) opt_smt = 1; if ( opt_pv_l1tf_hwdom < 0 ) opt_pv_l1tf_hwdom = 0; if ( opt_pv_l1tf_domu < 0 ) opt_pv_l1tf_domu = 0;
+ show +
33
34
35
36
37
opt_branch_harden = false; disable_common: opt_rsb_pv = false; opt_rsb_hvm = false;
+ show +
38
39
40
41
42
43
44
45
46
47
opt_md_clear_pv = 0; opt_md_clear_hvm = 0; opt_thunk = THUNK_JMP; opt_ibrs = 0; opt_ibpb = false; opt_ssbd = false; opt_l1d_flush = 0; } else if ( val > 0 )

[linux_CVE-2019-11477_1558138642_tcp_collapse_retrans.diff] tcp_collapse_retrans_OLD.c #1
if (next_skb_size <= skb_availroom(skb)) skb_copy_bits(next_skb, 0, skb_put(skb, next_skb_size), next_skb_size); - else if (!skb_shift(skb, next_skb, next_skb_size)) + else if (!tcp_skb_shift(skb, next_skb, 1, next_skb_size)) return false; } tcp_highest_sack_replace(sk, next_skb, skb);
.\cloneFuncs\totalClone\Type-1\CVE-2019-11477_before_1mo_1554389163_tcp_collapse_retrans.c
2
3
4
5
6
7
8
9
10
11
{ struct tcp_sock *tp = tcp_sk(sk); struct sk_buff *next_skb = skb_rb_next(skb); int next_skb_size; next_skb_size = next_skb->len; BUG_ON(tcp_skb_pcount(skb) != 1 || tcp_skb_pcount(next_skb) != 1); if (next_skb_size) {
+ show +
12
13
14
15
16
17
18
if (next_skb_size <= skb_availroom(skb)) skb_copy_bits(next_skb, 0, skb_put(skb, next_skb_size), next_skb_size); else if (!skb_shift(skb, next_skb, next_skb_size)) return false; } tcp_highest_sack_replace(sk, next_skb, skb);
+ show +
19
20
21
22
23
24
25
26
27
28
/* Update sequence range on original skb. */ TCP_SKB_CB(skb)->end_seq = TCP_SKB_CB(next_skb)->end_seq; /* Merge over control information. This moves PSH/FIN etc. over */ TCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(next_skb)->tcp_flags; /* All done, get rid of second SKB and account for it so * packet counting does not break. */

[linux_CVE-2019-11478_1563562353_tcp_fragment.diff] tcp_fragment_OLD.c #1
struct tcp_sock *tp = tcp_sk(sk); struct sk_buff *buff; int nsize, old_factor; + long limit; int nlen; u8 flags;
.\cloneFuncs\totalClone\Type-1\CVE-2019-11478_before_imd_1561208364_tcp_fragment.c
1
2
3
4
int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue, struct sk_buff *skb, u32 len, unsigned int mss_now, gfp_t gfp) {
+ show +
5
6
7
8
9
struct tcp_sock *tp = tcp_sk(sk); struct sk_buff *buff; int nsize, old_factor; int nlen; u8 flags;
+ show +
10
11
12
13
14
15
16
17
18
19
if (WARN_ON(len > skb->len)) return -EINVAL; nsize = skb_headlen(skb) - len; if (nsize < 0) nsize = 0; if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf && tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) {
.\cloneFuncs\totalClone\Type-3\CVE-2019-11478_before_1mo_1560826093_tcp_fragment.c
1
2
3
4
int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue, struct sk_buff *skb, u32 len, unsigned int mss_now, gfp_t gfp) {
+ show +
5
6
7
8
9
struct tcp_sock *tp = tcp_sk(sk); struct sk_buff *buff; int nsize, old_factor; int nlen; u8 flags;
+ show +
10
11
12
13
14
15
16
17
18
19
if (WARN_ON(len > skb->len)) return -EINVAL; nsize = skb_headlen(skb) - len; if (nsize < 0) nsize = 0; if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
.\cloneFuncs\totalClone\Type-3\CVE-2019-11478_before_6mo_1547679935_tcp_fragment.c
1
2
3
4
int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue, struct sk_buff *skb, u32 len, unsigned int mss_now, gfp_t gfp) {
+ show +
5
6
7
8
9
struct tcp_sock *tp = tcp_sk(sk); struct sk_buff *buff; int nsize, old_factor; int nlen; u8 flags;
+ show +
10
11
12
13
14
15
16
17
18
19
if (WARN_ON(len > skb->len)) return -EINVAL; nsize = skb_headlen(skb) - len; if (nsize < 0) nsize = 0; if (skb_unclone(skb, gfp)) return -ENOMEM;

[linux_CVE-2019-11478_1563562353_tcp_fragment.diff] tcp_fragment_OLD.c #2
if (nsize < 0) nsize = 0; - if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf && - tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) { + /* tcp_sendmsg() can overshoot sk_wmem_queued by one full size skb. + * We need some allowance to not penalize applications setting small + * SO_SNDBUF values. + * Also allow first and last skb in retransmit queue to be split. + */ + limit = sk->sk_sndbuf + 2 * SKB_TRUESIZE(GSO_MAX_SIZE); + if (unlikely((sk->sk_wmem_queued >> 1) > limit && + tcp_queue != TCP_FRAG_IN_WRITE_QUEUE && + skb != tcp_rtx_queue_head(sk) && + skb != tcp_rtx_queue_tail(sk))) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); return -ENOMEM; }
.\cloneFuncs\totalClone\Type-1\CVE-2019-11478_before_imd_1561208364_tcp_fragment.c
5
6
7
8
9
10
11
12
13
14
struct tcp_sock *tp = tcp_sk(sk); struct sk_buff *buff; int nsize, old_factor; int nlen; u8 flags; if (WARN_ON(len > skb->len)) return -EINVAL; nsize = skb_headlen(skb) - len;
+ show +
15
16
17
18
19
20
21
22
if (nsize < 0) nsize = 0; if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf && tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); return -ENOMEM; }
+ show +
23
24
25
26
27
28
29
30
31
32
if (skb_unclone(skb, gfp)) return -ENOMEM; /* Get a new skb... force flag on. */ buff = sk_stream_alloc_skb(sk, nsize, gfp, true); if (!buff) return -ENOMEM; /* We'll just try again later. */ sk->sk_wmem_queued += buff->truesize;

[linux_CVE-2019-11833_1557530886_ext4_ext_grow_indepth.diff] ext4_ext_grow_indepth_OLD.c #1
ext4_fsblk_t newblock, goal = 0; struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; int err = 0; + size_t ext_size = 0; /* Try to prepend new index to old one */ if (ext_depth(inode))
.\cloneFuncs\totalClone\Type-1\CVE-2019-11833_before_1mo_1551414851_ext4_ext_grow_indepth.c
1
2
3
4
5
static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode, unsigned int flags) { struct ext4_extent_header *neh; struct buffer_head *bh;
+ show +
6
7
8
9
10
11
ext4_fsblk_t newblock, goal = 0; struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; int err = 0; /* Try to prepend new index to old one */ if (ext_depth(inode))
+ show +
12
13
14
15
16
17
18
19
20
21
goal = ext4_idx_pblock(EXT_FIRST_INDEX(ext_inode_hdr(inode))); if (goal > le32_to_cpu(es->s_first_data_block)) { flags |= EXT4_MB_HINT_TRY_GOAL; goal--; } else goal = ext4_inode_to_goal_block(inode); newblock = ext4_new_meta_blocks(handle, inode, goal, flags, NULL, &err); if (newblock == 0) return err;

[linux_CVE-2019-11833_1557530886_ext4_ext_grow_indepth.diff] ext4_ext_grow_indepth_OLD.c #2
goto out; } + ext_size = sizeof(EXT4_I(inode)->i_data); /* move top-level index/leaf into new block */ - memmove(bh->b_data, EXT4_I(inode)->i_data, - sizeof(EXT4_I(inode)->i_data)); + memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); + /* zero out unused area in the extent block */ + memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); /* set size of new block */ neh = ext_block_hdr(bh);
.\cloneFuncs\totalClone\Type-1\CVE-2019-11833_before_1mo_1551414851_ext4_ext_grow_indepth.c
21
22
23
24
25
26
27
28
29
30
return err; bh = sb_getblk_gfp(inode->i_sb, newblock, __GFP_MOVABLE | GFP_NOFS); if (unlikely(!bh)) return -ENOMEM; lock_buffer(bh); err = ext4_journal_get_create_access(handle, bh); if (err) { unlock_buffer(bh);
+ show +
31
32
33
34
35
36
37
38
39
goto out; } /* move top-level index/leaf into new block */ memmove(bh->b_data, EXT4_I(inode)->i_data, sizeof(EXT4_I(inode)->i_data)); /* set size of new block */ neh = ext_block_hdr(bh);
+ show +
40
41
42
43
44
45
46
47
48
49
/* old root could have indexes or leaves * so calculate e_max right way */ if (ext_depth(inode)) neh->eh_max = cpu_to_le16(ext4_ext_space_block_idx(inode, 0)); else neh->eh_max = cpu_to_le16(ext4_ext_space_block(inode, 0)); neh->eh_magic = EXT4_EXT_MAGIC; ext4_extent_block_csum_set(inode, neh); set_buffer_uptodate(bh); unlock_buffer(bh);

[linux_CVE-2019-11833_1557530886_ext4_ext_split.diff] ext4_ext_split_OLD.c #1
__le32 border; ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ int err = 0; + size_t ext_size = 0; /* make decision: where to split? */ /* FIXME: now decision is simplest: at current extent */
.\cloneFuncs\totalClone\Type-1\CVE-2019-11833_before_1mo_1551414851_ext4_ext_split.c
2
3
4
5
6
7
8
9
10
11
unsigned int flags, struct ext4_ext_path *path, struct ext4_extent *newext, int at) { struct buffer_head *bh = NULL; int depth = ext_depth(inode); struct ext4_extent_header *neh; struct ext4_extent_idx *fidx; int i = at, k, m, a; ext4_fsblk_t newblock, oldblock;
+ show +
12
13
14
15
16
17
__le32 border; ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ int err = 0; /* make decision: where to split? */ /* FIXME: now decision is simplest: at current extent */
+ show +
18
19
20
21
22
23
24
25
26
27
/* if current leaf will be split, then we should use * border from split point */ if (unlikely(path[depth].p_ext > EXT_MAX_EXTENT(path[depth].p_hdr))) { EXT4_ERROR_INODE(inode, "p_ext > EXT_MAX_EXTENT!"); return -EFSCORRUPTED; } if (path[depth].p_ext != EXT_MAX_EXTENT(path[depth].p_hdr)) { border = path[depth].p_ext[1].ee_block; ext_debug("leaf will be split."

[linux_CVE-2019-11833_1557530886_ext4_ext_split.diff] ext4_ext_split_OLD.c #2
le16_add_cpu(&neh->eh_entries, m); } + /* zero out unused area in the extent block */ + ext_size = sizeof(struct ext4_extent_header) + + sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); + memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); ext4_extent_block_csum_set(inode, neh); set_buffer_uptodate(bh); unlock_buffer(bh);
.\cloneFuncs\totalClone\Type-1\CVE-2019-11833_before_1mo_1551414851_ext4_ext_split.c
93
94
95
96
97
98
99
100
101
102
err = -EFSCORRUPTED; goto cleanup; } /* start copy from next extent */ m = EXT_MAX_EXTENT(path[depth].p_hdr) - path[depth].p_ext++; ext4_ext_show_move(inode, path, newblock, depth); if (m) { struct ext4_extent *ex; ex = EXT_FIRST_EXTENT(neh); memmove(ex, path[depth].p_ext, sizeof(struct ext4_extent) * m);
+ show +
103
104
105
106
107
108
le16_add_cpu(&neh->eh_entries, m); } ext4_extent_block_csum_set(inode, neh); set_buffer_uptodate(bh); unlock_buffer(bh);
+ show +
109
110
111
112
113
114
115
116
117
118
err = ext4_handle_dirty_metadata(handle, inode, bh); if (err) goto cleanup; brelse(bh); bh = NULL; /* correct old leaf */ if (m) { err = ext4_ext_get_access(handle, inode, path + depth);
.\cloneFuncs\totalClone\Type-1\CVE-2019-11833_before_1mo_1551414851_ext4_ext_split.c
173
174
175
176
177
178
179
180
181
182
goto cleanup; } /* start copy indexes */ m = EXT_MAX_INDEX(path[i].p_hdr) - path[i].p_idx++; ext_debug("cur 0x%p, last 0x%p\n", path[i].p_idx, EXT_MAX_INDEX(path[i].p_hdr)); ext4_ext_show_move(inode, path, newblock, i); if (m) { memmove(++fidx, path[i].p_idx, sizeof(struct ext4_extent_idx) * m);
+ show +
183
184
185
186
187
le16_add_cpu(&neh->eh_entries, m); } ext4_extent_block_csum_set(inode, neh); set_buffer_uptodate(bh); unlock_buffer(bh);
+ show +
188
189
190
191
192
193
194
195
196
197
err = ext4_handle_dirty_metadata(handle, inode, bh); if (err) goto cleanup; brelse(bh); bh = NULL; /* correct old index */ if (m) { err = ext4_ext_get_access(handle, inode, path + i);

[linux_CVE-2019-11833_1557530886_ext4_ext_split.diff] ext4_ext_split_OLD.c #3
sizeof(struct ext4_extent_idx) * m); le16_add_cpu(&neh->eh_entries, m); } + /* zero out unused area in the extent block */ + ext_size = sizeof(struct ext4_extent_header) + + (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); + memset(bh->b_data + ext_size, 0, + inode->i_sb->s_blocksize - ext_size); ext4_extent_block_csum_set(inode, neh); set_buffer_uptodate(bh); unlock_buffer(bh);
.\cloneFuncs\totalClone\Type-1\CVE-2019-11833_before_1mo_1551414851_ext4_ext_split.c
172
173
174
175
176
177
178
179
180
181
err = -EFSCORRUPTED; goto cleanup; } /* start copy indexes */ m = EXT_MAX_INDEX(path[i].p_hdr) - path[i].p_idx++; ext_debug("cur 0x%p, last 0x%p\n", path[i].p_idx, EXT_MAX_INDEX(path[i].p_hdr)); ext4_ext_show_move(inode, path, newblock, i); if (m) { memmove(++fidx, path[i].p_idx,
+ show +
182
183
184
185
186
187
sizeof(struct ext4_extent_idx) * m); le16_add_cpu(&neh->eh_entries, m); } ext4_extent_block_csum_set(inode, neh); set_buffer_uptodate(bh); unlock_buffer(bh);
+ show +
188
189
190
191
192
193
194
195
196
197
err = ext4_handle_dirty_metadata(handle, inode, bh); if (err) goto cleanup; brelse(bh); bh = NULL; /* correct old index */ if (m) { err = ext4_ext_get_access(handle, inode, path + i);

[qemu_CVE-2019-12068_1565784321_lsi_execute_script.diff] lsi_execute_script_OLD.c #1
s->istat1 |= LSI_ISTAT1_SRUN; again: - insn_processed++; + if (++insn_processed > LSI_MAX_INSN) { + /* Some windows drivers make the device spin waiting for a memory + location to change. If we have been executed a lot of code then + assume this is the case and force an unexpected device disconnect. + This is apparently sufficient to beat the drivers into submission. + */ + if (!(s->sien0 & LSI_SIST0_UDC)) { + qemu_log_mask(LOG_GUEST_ERROR, + "lsi_scsi: inf. loop with UDC masked"); + } + lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0); + lsi_disconnect(s); + trace_lsi_execute_script_stop(); + return; + } insn = read_dword(s, s->dsp); if (!insn) { /* If we receive an empty opcode increment the DSP by 4 bytes
.\cloneFuncs\totalClone\Type-1\CVE-2019-12068_before_1mo_1558622107_lsi_execute_script.c
1
2
3
4
5
6
7
8
static void lsi_execute_script(LSIState *s) { PCIDevice *pci_dev = PCI_DEVICE(s); uint32_t insn; uint32_t addr, addr_high; int opcode; int insn_processed = 0;
+ show +
9
10
11
12
13
14
s->istat1 |= LSI_ISTAT1_SRUN; again: insn_processed++; insn = read_dword(s, s->dsp); if (!insn) { /* If we receive an empty opcode increment the DSP by 4 bytes
+ show +
15
16
17
18
19
20
21
22
23
24
instead of 8 and execute the next opcode at that location */ s->dsp += 4; goto again; } addr = read_dword(s, s->dsp + 4); addr_high = 0; trace_lsi_execute_script(s->dsp, insn, addr); s->dsps = addr; s->dcmd = insn >> 24; s->dsp += 8;
.\cloneFuncs\totalClone\Type-3\CVE-2019-12068_before_6mo_1544740657_lsi_execute_script.c
1
2
3
4
5
6
7
8
static void lsi_execute_script(LSIState *s) { PCIDevice *pci_dev = PCI_DEVICE(s); uint32_t insn; uint32_t addr, addr_high; int opcode; int insn_processed = 0;
+ show +
9
10
11
12
13
14
s->istat1 |= LSI_ISTAT1_SRUN; again: insn_processed++; insn = read_dword(s, s->dsp); if (!insn) { /* If we receive an empty opcode increment the DSP by 4 bytes
+ show +
15
16
17
18
19
20
21
22
23
24
instead of 8 and execute the next opcode at that location */ s->dsp += 4; goto again; } addr = read_dword(s, s->dsp + 4); addr_high = 0; trace_lsi_execute_script(s->dsp, insn, addr); s->dsps = addr; s->dcmd = insn >> 24; s->dsp += 8;

[linux_CVE-2019-13648_1563512702_SYSCALL_DEFINE0.diff] SYSCALL_DEFINE0_OLD.c #1
if (MSR_TM_ACTIVE(msr)) { /* We recheckpoint on return. */ struct ucontext __user *uc_transact; + + /* Trying to start TM on non TM system */ + if (!cpu_has_feature(CPU_FTR_TM)) + goto badframe; + if (__get_user(uc_transact, &uc->uc_link)) goto badframe; if (restore_tm_sigcontexts(current, &uc->uc_mcontext,
.\cloneFuncs\totalClone\Type-1\CVE-2019-13648_before_imd_1562647695_SYSCALL_DEFINE0.c
51
52
53
54
55
56
57
58
59
60
* Clearing MSR[TS] state here will avoid a recheckpoint if there * is any process reschedule in kernel space. The MSR[TS] state * does not need to be saved also, since it will be replaced with * the MSR[TS] that came from user context later, at * restore_tm_sigcontexts. */ regs->msr &= ~MSR_TS_MASK; if (__get_user(msr, &uc->uc_mcontext.gp_regs[PT_MSR])) goto badframe;
+ show +
61
62
63
64
65
66
if (MSR_TM_ACTIVE(msr)) { /* We recheckpoint on return. */ struct ucontext __user *uc_transact; if (__get_user(uc_transact, &uc->uc_link)) goto badframe; if (restore_tm_sigcontexts(current, &uc->uc_mcontext,
+ show +
67
68
69
70
71
72
73
74
75
76
&uc_transact->uc_mcontext)) goto badframe; } else #endif { /* * Fall through, for non-TM restore * * Unset MSR[TS] on the thread regs since MSR from user * context does not have MSR active, and recheckpoint was
.\cloneFuncs\totalClone\Type-2\CVE-2019-13648_before_1mo_1558940101_SYSCALL_DEFINE0.c
51
52
53
54
55
56
57
58
59
60
* Clearing MSR[TS] state here will avoid a recheckpoint if there * is any process reschedule in kernel space. The MSR[TS] state * does not need to be saved also, since it will be replaced with * the MSR[TS] that came from user context later, at * restore_tm_sigcontexts. */ regs->msr &= ~MSR_TS_MASK; if (__get_user(msr, &uc->uc_mcontext.gp_regs[PT_MSR])) goto badframe;
+ show +
61
62
63
64
65
66
if (MSR_TM_ACTIVE(msr)) { /* We recheckpoint on return. */ struct ucontext __user *uc_transact; if (__get_user(uc_transact, &uc->uc_link)) goto badframe; if (restore_tm_sigcontexts(current, &uc->uc_mcontext,
+ show +
67
68
69
70
71
72
73
74
75
76
&uc_transact->uc_mcontext)) goto badframe; } else #endif { /* * Fall through, for non-TM restore * * Unset MSR[TS] on the thread regs since MSR from user * context does not have MSR active, and recheckpoint was
.\cloneFuncs\totalClone\Type-3\CVE-2019-13648_before_6mo_1547039805_SYSCALL_DEFINE0.c
26
27
28
29
30
31
32
33
34
35
* active in the kernel, we are active, there is nothing better to * do than go ahead and Bad Thing later. * The cause is not important as there will never be a * recheckpoint so it's not user visible. */ if (MSR_TM_SUSPENDED(mfmsr())) tm_reclaim_current(0); if (__get_user(msr, &uc->uc_mcontext.gp_regs[PT_MSR])) goto badframe;
+ show +
36
37
38
39
40
41
if (MSR_TM_ACTIVE(msr)) { /* We recheckpoint on return. */ struct ucontext __user *uc_transact; if (__get_user(uc_transact, &uc->uc_link)) goto badframe; if (restore_tm_sigcontexts(current, &uc->uc_mcontext,
+ show +
42
43
44
45
46
47
48
49
50
51
&uc_transact->uc_mcontext)) goto badframe; } else #endif { /* * Fall through, for non-TM restore * * Unset MSR[TS] on the thread regs since MSR from user * context does not have MSR active, and recheckpoint was

[linux_CVE-2019-14615_1578504300_gen9_init_indirectctx_bb.diff] gen9_init_indirectctx_bb_OLD.c #1
/* WaFlushCoherentL3CacheLinesAtContextSwitch:skl,bxt,glk */ batch = gen8_emit_flush_coherentl3_wa(engine, batch); + /* WaClearSlmSpaceAtContextSwitch:skl,bxt,kbl,glk,cfl */ + batch = gen8_emit_pipe_control(batch, + PIPE_CONTROL_FLUSH_L3 | + PIPE_CONTROL_STORE_DATA_INDEX | + PIPE_CONTROL_CS_STALL | + PIPE_CONTROL_QW_WRITE, + LRC_PPHWSP_SCRATCH_ADDR); + batch = emit_lri(batch, lri, ARRAY_SIZE(lri)); /* WaMediaPoolStateCmdInWABB:bxt,glk */
.\cloneFuncs\totalClone\Type-1\CVE-2019-14615_before_1mo_1575557974_gen9_init_indirectctx_bb.c
18
19
20
21
22
23
24
25
26
27
/* BSpec: 11299 */ { _3D_CHICKEN3, __MASKED_FIELD(_3D_CHICKEN_SF_PROVOKING_VERTEX_FIX, _3D_CHICKEN_SF_PROVOKING_VERTEX_FIX), } }; *batch++ = MI_ARB_ON_OFF | MI_ARB_DISABLE;
+ show +
28
29
30
31
32
33
/* WaFlushCoherentL3CacheLinesAtContextSwitch:skl,bxt,glk */ batch = gen8_emit_flush_coherentl3_wa(engine, batch); batch = emit_lri(batch, lri, ARRAY_SIZE(lri)); /* WaMediaPoolStateCmdInWABB:bxt,glk */
+ show +
34
35
36
37
38
39
40
41
42
43
if (HAS_POOLED_EU(engine->i915)) { /* * EU pool configuration is setup along with golden context * during context initialization. This value depends on * device type (2x6 or 3x6) and needs to be updated based * on which subslice is disabled especially for 2x6 * devices, however it is safe to load default * configuration of 3x6 device instead of masking off * corresponding bits because HW ignores bits of a disabled * subslice and drops down to appropriate config. Please

[linux_CVE-2019-14814_1566958071_mwifiex_set_uap_rates.diff] mwifiex_set_uap_rates_OLD.c #1
rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len); if (rate_ie) { + if (rate_ie->len > MWIFIEX_SUPPORTED_RATES) + return; memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len); rate_len = rate_ie->len; }
.\cloneFuncs\totalClone\Type-1\CVE-2019-14814_before_1mo_1498633018_mwifiex_set_uap_rates.c
1
2
3
4
5
6
7
8
9
10
void mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg, struct cfg80211_ap_settings *params) { struct ieee_types_header *rate_ie; int var_offset = offsetof(struct ieee80211_mgmt, u.beacon.variable); const u8 *var_pos = params->beacon.head + var_offset; int len = params->beacon.head_len - var_offset; u8 rate_len = 0;
+ show +
11
12
13
14
15
rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len); if (rate_ie) { memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len); rate_len = rate_ie->len; }
+ show +
16
17
18
19
20
21
22
23
24
rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, params->beacon.tail, params->beacon.tail_len); if (rate_ie) memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len); return; }

[linux_CVE-2019-14814_1566958071_mwifiex_set_wmm_params.diff] mwifiex_set_wmm_params_OLD.c #1
params->beacon.tail_len); if (vendor_ie) { wmm_ie = vendor_ie; + if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info)) + return; memcpy(&bss_cfg->wmm_info, wmm_ie + sizeof(struct ieee_types_header), *(wmm_ie + 1)); priv->wmm_enabled = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2019-14814_before_1mo_1498633018_mwifiex_set_wmm_params.c
3
4
5
6
7
8
9
10
11
12
struct mwifiex_uap_bss_param *bss_cfg, struct cfg80211_ap_settings *params) { const u8 *vendor_ie; const u8 *wmm_ie; u8 wmm_oui[] = {0x00, 0x50, 0xf2, 0x02}; vendor_ie = cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, WLAN_OUI_TYPE_MICROSOFT_WMM, params->beacon.tail,
+ show +
13
14
15
16
17
18
params->beacon.tail_len); if (vendor_ie) { wmm_ie = vendor_ie; memcpy(&bss_cfg->wmm_info, wmm_ie + sizeof(struct ieee_types_header), *(wmm_ie + 1)); priv->wmm_enabled = 1;
+ show +
19
20
21
22
23
24
25
26
27
28
} else { memset(&bss_cfg->wmm_info, 0, sizeof(bss_cfg->wmm_info)); memcpy(&bss_cfg->wmm_info.oui, wmm_oui, sizeof(wmm_oui)); bss_cfg->wmm_info.subtype = MWIFIEX_WMM_SUBTYPE; bss_cfg->wmm_info.version = MWIFIEX_WMM_VERSION; priv->wmm_enabled = 0; } bss_cfg->qos_info = 0x00; return;

[linux_CVE-2019-14821_1568668614_coalesced_mmio_has_room.diff] coalesced_mmio_has_room_OLD.c #1
-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) +static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last) { struct kvm_coalesced_mmio_ring *ring; unsigned avail;
.\cloneFuncs\totalClone\Type-1\CVE-2019-14821_before_1mo_1545068179_coalesced_mmio_has_room.c
+ show +
1
2
3
4
static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) { struct kvm_coalesced_mmio_ring *ring; unsigned avail;
+ show +
5
6
7
8
9
10
11
12
13
14
/* Are we able to batch it ? */ /* last is the first free entry * check if we don't meet the first used entry * there is always one unused entry in the buffer */ ring = dev->kvm->coalesced_mmio_ring; avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX; if (avail == 0) {

[linux_CVE-2019-14895_1574352278_mwifiex_bss_start.diff] mwifiex_bss_start_OLD.c #1
priv->scan_block = false; if (bss) { - if (adapter->region_code == 0x00) - mwifiex_process_country_ie(priv, bss); + if (adapter->region_code == 0x00 && + mwifiex_process_country_ie(priv, bss)) + return -EINVAL; /* Allocate and fill new bss descriptor */ bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
.\cloneFuncs\totalClone\Type-1\CVE-2019-14895_before_1mo_1550066378_mwifiex_bss_start.c
1
2
3
4
5
6
7
int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, struct cfg80211_ssid *req_ssid) { int ret; struct mwifiex_adapter *adapter = priv->adapter; struct mwifiex_bssdescriptor *bss_desc = NULL;
+ show +
8
9
10
11
12
13
14
15
priv->scan_block = false; if (bss) { if (adapter->region_code == 0x00) mwifiex_process_country_ie(priv, bss); /* Allocate and fill new bss descriptor */ bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
+ show +
16
17
18
19
20
21
22
23
24
25
GFP_KERNEL); if (!bss_desc) return -ENOMEM; ret = mwifiex_fill_new_bss_desc(priv, bss, bss_desc); if (ret) goto done; } if (priv->bss_mode == NL80211_IFTYPE_STATION ||

[linux_CVE-2019-14895_1574352278_mwifiex_process_country_ie.diff] mwifiex_process_country_ie_OLD.c #1
"11D: skip setting domain info in FW\n"); return 0; } + + if (country_ie_len > + (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { + mwifiex_dbg(priv->adapter, ERROR, + "11D: country_ie_len overflow!, deauth AP\n"); + return -EINVAL; + } + memcpy(priv->adapter->country_code, &country_ie[2], 2); domain_info->country_code[0] = country_ie[2];
.\cloneFuncs\totalClone\Type-1\CVE-2019-14895_before_1mo_1550066378_mwifiex_process_country_ie.c
15
16
17
18
19
20
21
22
23
24
country_ie_len = country_ie[1]; if (country_ie_len < IEEE80211_COUNTRY_IE_MIN_LEN) { rcu_read_unlock(); return 0; } if (!strncmp(priv->adapter->country_code, &country_ie[2], 2)) { rcu_read_unlock(); mwifiex_dbg(priv->adapter, INFO,
+ show +
25
26
27
28
29
30
"11D: skip setting domain info in FW\n"); return 0; } memcpy(priv->adapter->country_code, &country_ie[2], 2); domain_info->country_code[0] = country_ie[2];
+ show +
31
32
33
34
35
36
37
38
39
40
domain_info->country_code[1] = country_ie[3]; domain_info->country_code[2] = ' '; country_ie_len -= IEEE80211_COUNTRY_STRING_LEN; domain_info->no_of_triplet = country_ie_len / sizeof(struct ieee80211_country_ie_triplet); memcpy((u8 *)domain_info->triplet, &country_ie[2] + IEEE80211_COUNTRY_STRING_LEN, country_ie_len);

[linux_CVE-2019-14896_1574938264_add_ie_rates.diff] add_ie_rates_OLD.c #1
int hw, ap, ap_max = ie[1]; u8 hw_rate; + if (ap_max > MAX_RATES) { + lbs_deb_assoc("invalid rates\n"); + return tlv; + } /* Advance past IE header */ ie += 2;
.\cloneFuncs\totalClone\Type-1\CVE-2019-14896_before_1mo_1509786470_add_ie_rates.c
1
2
3
static u8 * add_ie_rates(u8 *tlv, const u8 *ie, int *nrates) {
+ show +
4
5
6
7
8
int hw, ap, ap_max = ie[1]; u8 hw_rate; /* Advance past IE header */ ie += 2;
+ show +
9
10
11
12
13
14
15
16
17
18
lbs_deb_hex(LBS_DEB_ASSOC, "AP IE Rates", (u8 *) ie, ap_max); for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { hw_rate = lbs_rates[hw].bitrate / 5; for (ap = 0; ap < ap_max; ap++) { if (hw_rate == (ie[ap] & 0x7f)) { *tlv++ = ie[ap]; *nrates = *nrates + 1; }

[linux_CVE-2019-14896_1574938264_lbs_ibss_join_existing.diff] lbs_ibss_join_existing_OLD.c #1
struct cmd_ds_802_11_ad_hoc_join cmd; u8 preamble = RADIO_PREAMBLE_SHORT; int ret = 0; + int hw, i; + u8 rates_max; + u8 *rates; /* TODO: set preamble based on scan result */ ret = lbs_set_radio(priv, preamble, 1);
.\cloneFuncs\totalClone\Type-1\CVE-2019-14896_before_1mo_1509786470_lbs_ibss_join_existing.c
1
2
3
4
5
static int lbs_ibss_join_existing(struct lbs_private *priv, struct cfg80211_ibss_params *params, struct cfg80211_bss *bss) { const u8 *rates_eid;
+ show +
6
7
8
9
10
11
struct cmd_ds_802_11_ad_hoc_join cmd; u8 preamble = RADIO_PREAMBLE_SHORT; int ret = 0; /* TODO: set preamble based on scan result */ ret = lbs_set_radio(priv, preamble, 1);
+ show +
12
13
14
15
16
17
18
19
20
21
if (ret) goto out; /* * Example CMD_802_11_AD_HOC_JOIN command: * * command 2c 00 CMD_802_11_AD_HOC_JOIN * size 65 00 * sequence xx xx * result 00 00

[linux_CVE-2019-14896_1574938264_lbs_ibss_join_existing.diff] lbs_ibss_join_existing_OLD.c #2
if (!rates_eid) { lbs_add_rates(cmd.bss.rates); } else { - int hw, i; - u8 rates_max = rates_eid[1]; - u8 *rates = cmd.bss.rates; + rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + goto out; + } + rates = cmd.bss.rates; for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { u8 hw_rate = lbs_rates[hw].bitrate / 5; for (i = 0; i < rates_max; i++) {
.\cloneFuncs\totalClone\Type-1\CVE-2019-14896_before_1mo_1509786470_lbs_ibss_join_existing.c
54
55
56
57
58
59
60
61
62
63
cmd.bss.ds.channel = params->chandef.chan->hw_value; cmd.bss.ibss.header.id = WLAN_EID_IBSS_PARAMS; cmd.bss.ibss.header.len = 2; cmd.bss.ibss.atimwindow = 0; cmd.bss.capability = cpu_to_le16(bss->capability & CAPINFO_MASK); /* set rates to the intersection of our rates and the rates in the bss */ rcu_read_lock(); rates_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
+ show +
64
65
66
67
68
69
70
71
72
if (!rates_eid) { lbs_add_rates(cmd.bss.rates); } else { int hw, i; u8 rates_max = rates_eid[1]; u8 *rates = cmd.bss.rates; for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { u8 hw_rate = lbs_rates[hw].bitrate / 5; for (i = 0; i < rates_max; i++) {
+ show +
73
74
75
76
77
78
79
80
81
82
if (hw_rate == (rates_eid[i+2] & 0x7f)) { u8 rate = rates_eid[i+2]; if (rate == 0x02 || rate == 0x04 || rate == 0x0b || rate == 0x16) rate |= 0x80; *rates++ = rate; } } } }

[linux_CVE-2019-15030_1567572927_giveup_all.diff] giveup_all_OLD.c #1
if (!tsk->thread.regs) return; + check_if_tm_restore_required(tsk); + usermsr = tsk->thread.regs->msr; if ((usermsr & msr_all_available) == 0) return; msr_check_and_set(msr_all_available); - check_if_tm_restore_required(tsk); WARN_ON((usermsr & MSR_VSX) && !((usermsr & MSR_FP) && (usermsr & MSR_VEC)));
.\cloneFuncs\totalClone\Type-1\CVE-2019-15030_before_1mo_1562647695_giveup_all.c
1
2
3
4
void giveup_all(struct task_struct *tsk) { unsigned long usermsr;
+ show +
5
6
7
8
9
10
11
12
13
14
15
16
if (!tsk->thread.regs) return; usermsr = tsk->thread.regs->msr; if ((usermsr & msr_all_available) == 0) return; msr_check_and_set(msr_all_available); check_if_tm_restore_required(tsk); WARN_ON((usermsr & MSR_VSX) && !((usermsr & MSR_FP) && (usermsr & MSR_VEC)));
+ show +
17
18
19
20
21
22
23
24
25
26
#ifdef CONFIG_PPC_FPU if (usermsr & MSR_FP) __giveup_fpu(tsk); #endif #ifdef CONFIG_ALTIVEC if (usermsr & MSR_VEC) __giveup_altivec(tsk); #endif #ifdef CONFIG_SPE

[linux_CVE-2019-15098_1564878544_ath6kl_usb_alloc_urb_from_pipe.diff] ath6kl_usb_alloc_urb_from_pipe_OLD.c #1
struct ath6kl_urb_context *urb_context = NULL; unsigned long flags; + /* bail if this pipe is not initialized */ + if (!pipe->ar_usb) + return NULL; + spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); if (!list_empty(&pipe->urb_list_head)) { urb_context =
.\cloneFuncs\totalClone\Type-1\CVE-2019-15098_before_1mo_1414716337_ath6kl_usb_alloc_urb_from_pipe.c
1
2
3
static struct ath6kl_urb_context * ath6kl_usb_alloc_urb_from_pipe(struct ath6kl_usb_pipe *pipe) {
+ show +
4
5
6
7
8
9
struct ath6kl_urb_context *urb_context = NULL; unsigned long flags; spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); if (!list_empty(&pipe->urb_list_head)) { urb_context =
+ show +
10
11
12
13
14
15
16
17
18
list_first_entry(&pipe->urb_list_head, struct ath6kl_urb_context, link); list_del(&urb_context->link); pipe->urb_cnt--; } spin_unlock_irqrestore(&pipe->ar_usb->cs_lock, flags); return urb_context; }

[linux_CVE-2019-15098_1564878544_ath6kl_usb_free_urb_to_pipe.diff] ath6kl_usb_free_urb_to_pipe_OLD.c #1
{ unsigned long flags; + /* bail if this pipe is not initialized */ + if (!pipe->ar_usb) + return; + spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); pipe->urb_cnt++;
.\cloneFuncs\totalClone\Type-1\CVE-2019-15098_before_1mo_1414716337_ath6kl_usb_free_urb_to_pipe.c
1
2
static void ath6kl_usb_free_urb_to_pipe(struct ath6kl_usb_pipe *pipe, struct ath6kl_urb_context *urb_context)
+ show +
3
4
5
6
7
{ unsigned long flags; spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); pipe->urb_cnt++;
+ show +
8
9
10
11
list_add(&urb_context->link, &pipe->urb_list_head); spin_unlock_irqrestore(&pipe->ar_usb->cs_lock, flags); }

[linux_CVE-2019-19037_1575306132_ext4_empty_dir.diff] ext4_empty_dir_OLD.c #1
{ unsigned int offset; struct buffer_head *bh; - struct ext4_dir_entry_2 *de, *de1; + struct ext4_dir_entry_2 *de; struct super_block *sb; if (ext4_has_inline_data(inode)) {
.\cloneFuncs\totalClone\Type-1\CVE-2019-19037_before_1mo_1567489397_ext4_empty_dir.c
1
bool ext4_empty_dir(struct inode *inode)
+ show +
2
3
4
5
6
7
8
{ unsigned int offset; struct buffer_head *bh; struct ext4_dir_entry_2 *de, *de1; struct super_block *sb; if (ext4_has_inline_data(inode)) {
+ show +
9
10
11
12
13
14
15
16
17
18
int has_inline_data = 1; int ret; ret = empty_inline_dir(inode, &has_inline_data); if (has_inline_data) return ret; } sb = inode->i_sb; if (inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)) {
.\cloneFuncs\totalClone\Type-3\CVE-2019-19037_before_6mo_1558291396_ext4_empty_dir.c
1
bool ext4_empty_dir(struct inode *inode)
+ show +
2
3
4
5
6
7
8
{ unsigned int offset; struct buffer_head *bh; struct ext4_dir_entry_2 *de, *de1; struct super_block *sb; if (ext4_has_inline_data(inode)) {
+ show +
9
10
11
12
13
14
15
16
17
18
int has_inline_data = 1; int ret; ret = empty_inline_dir(inode, &has_inline_data); if (has_inline_data) return ret; } sb = inode->i_sb; if (inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)) {

[linux_CVE-2019-19037_1575306132_ext4_empty_dir.diff] ext4_empty_dir_OLD.c #2
return true; de = (struct ext4_dir_entry_2 *) bh->b_data; - de1 = ext4_next_entry(de, sb->s_blocksize); - if (le32_to_cpu(de->inode) != inode->i_ino || - le32_to_cpu(de1->inode) == 0 || - strcmp(".", de->name) || strcmp("..", de1->name)) { - ext4_warning_inode(inode, "directory missing '.' and/or '..'"); + if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size, + 0) || + le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) { + ext4_warning_inode(inode, "directory missing '.'"); brelse(bh); return true; } - offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize) + - ext4_rec_len_from_disk(de1->rec_len, sb->s_blocksize); - de = ext4_next_entry(de1, sb->s_blocksize); + offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); + de = ext4_next_entry(de, sb->s_blocksize); + if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size, + offset) || + le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) { + ext4_warning_inode(inode, "directory missing '..'"); + brelse(bh); + return true; + } + offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); while (offset < inode->i_size) { - if ((void *) de >= (void *) (bh->b_data+sb->s_blocksize)) { + if (!(offset & (sb->s_blocksize - 1))) { unsigned int lblock; brelse(bh); lblock = offset >> EXT4_BLOCK_SIZE_BITS(sb);
.\cloneFuncs\totalClone\Type-1\CVE-2019-19037_before_1mo_1567489397_ext4_empty_dir.c
17
18
19
20
21
22
23
24
25
26
sb = inode->i_sb; if (inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)) { EXT4_ERROR_INODE(inode, "invalid size"); return true; } /* The first directory block must not be a hole, * so treat it as DIRENT_HTREE */ bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE); if (IS_ERR(bh))
+ show +
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
return true; de = (struct ext4_dir_entry_2 *) bh->b_data; de1 = ext4_next_entry(de, sb->s_blocksize); if (le32_to_cpu(de->inode) != inode->i_ino || le32_to_cpu(de1->inode) == 0 || strcmp(".", de->name) || strcmp("..", de1->name)) { ext4_warning_inode(inode, "directory missing '.' and/or '..'"); brelse(bh); return true; } offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize) + ext4_rec_len_from_disk(de1->rec_len, sb->s_blocksize); de = ext4_next_entry(de1, sb->s_blocksize); while (offset < inode->i_size) { if ((void *) de >= (void *) (bh->b_data+sb->s_blocksize)) { unsigned int lblock; brelse(bh); lblock = offset >> EXT4_BLOCK_SIZE_BITS(sb);
+ show +
46
47
48
49
50
51
52
53
54
55
bh = ext4_read_dirblock(inode, lblock, EITHER); if (bh == NULL) { offset += sb->s_blocksize; continue; } if (IS_ERR(bh)) return true; de = (struct ext4_dir_entry_2 *) bh->b_data; } if (ext4_check_dir_entry(inode, NULL, de, bh,
.\cloneFuncs\totalClone\Type-3\CVE-2019-19037_before_6mo_1558291396_ext4_empty_dir.c
14
15
16
17
18
19
20
21
22
23
return ret; } sb = inode->i_sb; if (inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)) { EXT4_ERROR_INODE(inode, "invalid size"); return true; } bh = ext4_read_dirblock(inode, 0, EITHER); if (IS_ERR(bh))
+ show +
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
return true; de = (struct ext4_dir_entry_2 *) bh->b_data; de1 = ext4_next_entry(de, sb->s_blocksize); if (le32_to_cpu(de->inode) != inode->i_ino || le32_to_cpu(de1->inode) == 0 || strcmp(".", de->name) || strcmp("..", de1->name)) { ext4_warning_inode(inode, "directory missing '.' and/or '..'"); brelse(bh); return true; } offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize) + ext4_rec_len_from_disk(de1->rec_len, sb->s_blocksize); de = ext4_next_entry(de1, sb->s_blocksize); while (offset < inode->i_size) { if ((void *) de >= (void *) (bh->b_data+sb->s_blocksize)) { unsigned int lblock; brelse(bh); lblock = offset >> EXT4_BLOCK_SIZE_BITS(sb);
+ show +
43
44
45
46
47
48
49
50
51
52
bh = ext4_read_dirblock(inode, lblock, EITHER); if (IS_ERR(bh)) return true; de = (struct ext4_dir_entry_2 *) bh->b_data; } if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size, offset)) { de = (struct ext4_dir_entry_2 *)(bh->b_data + sb->s_blocksize); offset = (offset | (sb->s_blocksize - 1)) + 1;

[linux_CVE-2019-19076_1576002032_nfp_abm_u32_knode_replace.diff] nfp_abm_u32_knode_replace_OLD.c #1
u8 mask, val; int err; - if (!nfp_abm_u32_check_knode(alink->abm, knode, proto, extack)) { - err = -EOPNOTSUPP; + if (!nfp_abm_u32_check_knode(alink->abm, knode, proto, extack)) goto err_delete; - } tos_off = proto == htons(ETH_P_IP) ? 16 : 20;
.\cloneFuncs\totalClone\Type-1\CVE-2019-19076_before_imd_1569549106_nfp_abm_u32_knode_replace.c
1
2
3
4
5
6
7
static int nfp_abm_u32_knode_replace(struct nfp_abm_link *alink, struct tc_cls_u32_knode *knode, __be16 proto, struct netlink_ext_ack *extack) { struct nfp_abm_u32_match *match = NULL, *iter; unsigned int tos_off;
+ show +
8
9
10
11
12
13
14
15
16
u8 mask, val; int err; if (!nfp_abm_u32_check_knode(alink->abm, knode, proto, extack)) { err = -EOPNOTSUPP; goto err_delete; } tos_off = proto == htons(ETH_P_IP) ? 16 : 20;
+ show +
17
18
19
20
21
22
23
24
25
26
/* Extract the DSCP Class Selector bits */ val = be32_to_cpu(knode->sel->keys[0].val) >> tos_off & 0xff; mask = be32_to_cpu(knode->sel->keys[0].mask) >> tos_off & 0xff; /* Check if there is no conflicting mapping and find match by handle */ list_for_each_entry(iter, &alink->dscp_map, list) { u32 cmask; if (iter->handle == knode->handle) {

[linux_CVE-2019-19332_1575451734___do_cpuid_func.diff] __do_cpuid_func_OLD.c #1
r = -E2BIG; - if (*nent >= maxnent) + if (WARN_ON(*nent >= maxnent)) goto out; do_host_cpuid(entry, function, 0);
.\cloneFuncs\totalClone\Type-1\CVE-2019-19332_before_imd_1574368423___do_cpuid_func.c
67
68
69
70
71
72
73
74
75
76
F(ACE2) | F(ACE2_EN) | F(PHE) | F(PHE_EN) | F(PMM) | F(PMM_EN); /* cpuid 0xD.1.eax */ const u32 kvm_cpuid_D_1_eax_x86_features = F(XSAVEOPT) | F(XSAVEC) | F(XGETBV1) | f_xsaves; /* all calls to cpuid_count() should be made on the same cpu */ get_cpu();
+ show +
77
78
79
80
81
82
r = -E2BIG; if (*nent >= maxnent) goto out; do_host_cpuid(entry, function, 0);
+ show +
83
84
85
86
87
88
89
90
91
92
++*nent; switch (function) { case 0: /* Limited to the highest leaf implemented in KVM. */ entry->eax = min(entry->eax, 0x1fU); break; case 1: entry->edx &= kvm_cpuid_1_edx_x86_features; cpuid_mask(&entry->edx, CPUID_1_EDX);
.\cloneFuncs\totalClone\Type-3\CVE-2019-19332_before_1mo_1570220567___do_cpuid_func.c
67
68
69
70
71
72
73
74
75
76
F(ACE2) | F(ACE2_EN) | F(PHE) | F(PHE_EN) | F(PMM) | F(PMM_EN); /* cpuid 0xD.1.eax */ const u32 kvm_cpuid_D_1_eax_x86_features = F(XSAVEOPT) | F(XSAVEC) | F(XGETBV1) | f_xsaves; /* all calls to cpuid_count() should be made on the same cpu */ get_cpu();
+ show +
77
78
79
80
81
82
r = -E2BIG; if (*nent >= maxnent) goto out; do_host_cpuid(entry, function, 0);
+ show +
83
84
85
86
87
88
89
90
91
92
++*nent; switch (function) { case 0: /* Limited to the highest leaf implemented in KVM. */ entry->eax = min(entry->eax, 0x1fU); break; case 1: entry->edx &= kvm_cpuid_1_edx_x86_features; cpuid_mask(&entry->edx, CPUID_1_EDX);

[linux_CVE-2019-19377_1581487964_btree_write_cache_pages.diff] btree_write_cache_pages_OLD.c #1
.extent_locked = 0, .sync_io = wbc->sync_mode == WB_SYNC_ALL, }; + struct btrfs_fs_info *fs_info = BTRFS_I(mapping->host)->root->fs_info; int ret = 0; int done = 0; int nr_to_write_done = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2019-19377_before_imd_1582499802_btree_write_cache_pages.c
1
2
3
4
5
6
int btree_write_cache_pages(struct address_space *mapping, struct writeback_control *wbc) { struct extent_buffer *eb, *prev_eb = NULL; struct extent_page_data epd = { .bio = NULL,
+ show +
7
8
9
10
11
12
.extent_locked = 0, .sync_io = wbc->sync_mode == WB_SYNC_ALL, }; int ret = 0; int done = 0; int nr_to_write_done = 0;
+ show +
13
14
15
16
17
18
19
20
21
22
struct pagevec pvec; int nr_pages; pgoff_t index; pgoff_t end; /* Inclusive */ int scanned = 0; xa_mark_t tag; pagevec_init(&pvec); if (wbc->range_cyclic) { index = mapping->writeback_index; /* Start from prev offset */
.\cloneFuncs\totalClone\Type-3\CVE-2019-19377_before_1mo_1575372298_btree_write_cache_pages.c
1
2
3
4
5
6
7
8
int btree_write_cache_pages(struct address_space *mapping, struct writeback_control *wbc) { struct extent_io_tree *tree = &BTRFS_I(mapping->host)->io_tree; struct extent_buffer *eb, *prev_eb = NULL; struct extent_page_data epd = { .bio = NULL, .tree = tree,
+ show +
9
10
11
12
13
14
.extent_locked = 0, .sync_io = wbc->sync_mode == WB_SYNC_ALL, }; int ret = 0; int done = 0; int nr_to_write_done = 0;
+ show +
15
16
17
18
19
20
21
22
23
24
struct pagevec pvec; int nr_pages; pgoff_t index; pgoff_t end; /* Inclusive */ int scanned = 0; xa_mark_t tag; pagevec_init(&pvec); if (wbc->range_cyclic) { index = mapping->writeback_index; /* Start from prev offset */
.\cloneFuncs\totalClone\Type-3\CVE-2019-19377_before_6mo_1563315176_btree_write_cache_pages.c
1
2
3
4
5
6
7
8
int btree_write_cache_pages(struct address_space *mapping, struct writeback_control *wbc) { struct extent_io_tree *tree = &BTRFS_I(mapping->host)->io_tree; struct extent_buffer *eb, *prev_eb = NULL; struct extent_page_data epd = { .bio = NULL, .tree = tree,
+ show +
9
10
11
12
13
14
.extent_locked = 0, .sync_io = wbc->sync_mode == WB_SYNC_ALL, }; int ret = 0; int done = 0; int nr_to_write_done = 0;
+ show +
15
16
17
18
19
20
21
22
23
24
struct pagevec pvec; int nr_pages; pgoff_t index; pgoff_t end; /* Inclusive */ int scanned = 0; xa_mark_t tag; pagevec_init(&pvec); if (wbc->range_cyclic) { index = mapping->writeback_index; /* Start from prev offset */

[linux_CVE-2019-19448_1595860085_try_merge_free_space.diff] try_merge_free_space_OLD.c #1
static bool try_merge_free_space(struct btrfs_free_space_ctl *ctl, struct btrfs_free_space *info, bool update_stat) { - struct btrfs_free_space *left_info; + struct btrfs_free_space *left_info = NULL; struct btrfs_free_space *right_info; bool merged = false; u64 offset = info->offset;
.\cloneFuncs\totalClone\Type-1\CVE-2019-19448_before_1mo_1589819663_try_merge_free_space.c
+ show +
1
2
3
4
5
6
7
static bool try_merge_free_space(struct btrfs_free_space_ctl *ctl, struct btrfs_free_space *info, bool update_stat) { struct btrfs_free_space *left_info; struct btrfs_free_space *right_info; bool merged = false; u64 offset = info->offset;
+ show +
8
9
10
11
12
13
14
15
16
17
u64 bytes = info->bytes; const bool is_trimmed = btrfs_free_space_trimmed(info); /* * first we want to see if there is free space adjacent to the range we * are adding, if there is remove that struct and add a new one to * cover the entire range */ right_info = tree_search_offset(ctl, offset + bytes, 0, 0); if (right_info && rb_prev(&right_info->offset_index))

[linux_CVE-2019-19448_1595860085_try_merge_free_space.diff] try_merge_free_space_OLD.c #2
if (right_info && rb_prev(&right_info->offset_index)) left_info = rb_entry(rb_prev(&right_info->offset_index), struct btrfs_free_space, offset_index); - else + else if (!right_info) left_info = tree_search_offset(ctl, offset - 1, 0, 0); /* See try_merge_free_space() comment. */
.\cloneFuncs\totalClone\Type-1\CVE-2019-19448_before_1mo_1589819663_try_merge_free_space.c
7
8
9
10
11
12
13
14
15
16
u64 offset = info->offset; u64 bytes = info->bytes; const bool is_trimmed = btrfs_free_space_trimmed(info); /* * first we want to see if there is free space adjacent to the range we * are adding, if there is remove that struct and add a new one to * cover the entire range */ right_info = tree_search_offset(ctl, offset + bytes, 0, 0);
+ show +
17
18
19
20
21
22
23
if (right_info && rb_prev(&right_info->offset_index)) left_info = rb_entry(rb_prev(&right_info->offset_index), struct btrfs_free_space, offset_index); else left_info = tree_search_offset(ctl, offset - 1, 0, 0); /* See try_merge_free_space() comment. */
+ show +
24
25
26
27
28
29
30
31
32
33
if (right_info && !right_info->bitmap && (!is_trimmed || btrfs_free_space_trimmed(right_info))) { if (update_stat) unlink_free_space(ctl, right_info); else __unlink_free_space(ctl, right_info); info->bytes += right_info->bytes; kmem_cache_free(btrfs_free_space_cachep, right_info); merged = true; }

[linux_CVE-2019-19770_1592599648_do_blk_trace_setup.diff] do_blk_trace_setup_OLD.c #1
if (!bt->msg_data) goto err; - ret = -ENOENT; - - dir = debugfs_lookup(buts->name, blk_debugfs_root); - if (!dir) +#ifdef CONFIG_BLK_DEBUG_FS + /* + * When tracing whole make_request drivers (multiqueue) block devices, + * reuse the existing debugfs directory created by the block layer on + * init. For request-based block devices, all partitions block devices, + * and scsi-generic block devices we create a temporary new debugfs + * directory that will be removed once the trace ends. + */ + if (queue_is_mq(q) && bdev && bdev == bdev->bd_contains) + dir = q->debugfs_dir; + else +#endif bt->dir = dir = debugfs_create_dir(buts->name, blk_debugfs_root); bt->dev = dev;
.\cloneFuncs\totalClone\Type-1\CVE-2019-19770_before_imd_1592599646_do_blk_trace_setup.c
37
38
39
40
41
42
43
44
45
46
bt = kzalloc(sizeof(*bt), GFP_KERNEL); if (!bt) return -ENOMEM; ret = -ENOMEM; bt->sequence = alloc_percpu(unsigned long); if (!bt->sequence) goto err; bt->msg_data = __alloc_percpu(BLK_TN_MAX_MSG, __alignof__(char));
+ show +
47
48
49
50
51
52
53
54
55
56
if (!bt->msg_data) goto err; ret = -ENOENT; dir = debugfs_lookup(buts->name, blk_debugfs_root); if (!dir) bt->dir = dir = debugfs_create_dir(buts->name, blk_debugfs_root); bt->dev = dev;
+ show +
57
58
59
60
61
62
63
64
65
66
atomic_set(&bt->dropped, 0); INIT_LIST_HEAD(&bt->running_list); ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, &blk_dropped_fops); bt->msg_file = debugfs_create_file("msg", 0222, dir, bt, &blk_msg_fops); bt->rchan = relay_open("trace", dir, buts->buf_size,
.\cloneFuncs\totalClone\Type-3\CVE-2019-19770_before_1mo_1589385743_do_blk_trace_setup.c
24
25
26
27
28
29
30
31
32
33
bt = kzalloc(sizeof(*bt), GFP_KERNEL); if (!bt) return -ENOMEM; ret = -ENOMEM; bt->sequence = alloc_percpu(unsigned long); if (!bt->sequence) goto err; bt->msg_data = __alloc_percpu(BLK_TN_MAX_MSG, __alignof__(char));
+ show +
34
35
36
37
38
39
40
41
42
43
if (!bt->msg_data) goto err; ret = -ENOENT; dir = debugfs_lookup(buts->name, blk_debugfs_root); if (!dir) bt->dir = dir = debugfs_create_dir(buts->name, blk_debugfs_root); bt->dev = dev;
+ show +
44
45
46
47
48
49
50
51
52
53
atomic_set(&bt->dropped, 0); INIT_LIST_HEAD(&bt->running_list); ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, &blk_dropped_fops); bt->msg_file = debugfs_create_file("msg", 0222, dir, bt, &blk_msg_fops); bt->rchan = relay_open("trace", dir, buts->buf_size,

[linux_CVE-2019-2308_1613158018_fastrpc_internal_invoke.diff] fastrpc_internal_invoke_OLD.c #1
if (!fl->cctx->rpdev) return -EPIPE; + if (handle == FASTRPC_INIT_HANDLE && !kernel) { + dev_warn_ratelimited(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n", handle); + return -EPERM; + } + ctx = fastrpc_context_alloc(fl, kernel, sc, args); if (IS_ERR(ctx)) return PTR_ERR(ctx);
.\cloneFuncs\totalClone\Type-1\CVE-2019-2308_before_1mo_1604451311_fastrpc_internal_invoke.c
1
2
3
4
5
6
7
8
9
10
static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel, u32 handle, u32 sc, struct fastrpc_invoke_args *args) { struct fastrpc_invoke_ctx *ctx = NULL; int err = 0; if (!fl->sctx) return -EINVAL;
+ show +
11
12
13
14
15
16
if (!fl->cctx->rpdev) return -EPIPE; ctx = fastrpc_context_alloc(fl, kernel, sc, args); if (IS_ERR(ctx)) return PTR_ERR(ctx);
+ show +
17
18
19
20
21
22
23
24
25
26
if (ctx->nscalars) { err = fastrpc_get_args(kernel, ctx); if (err) goto bail; } /* make sure that all CPU memory writes are seen by DSP */ dma_wmb(); /* Send invoke buffer to remote dsp */

[linux_CVE-2019-3016_1575646572_kvm_set_msr_common.diff] kvm_set_msr_common_OLD.c #1
if (data & KVM_STEAL_RESERVED_MASK) return 1; - if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime, - data & KVM_STEAL_VALID_BITS, - sizeof(struct kvm_steal_time))) - return 1; - vcpu->arch.st.msr_val = data; if (!(data & KVM_MSR_ENABLED))
.\cloneFuncs\totalClone\Type-1\CVE-2019-3016_before_imd_1575517532_kvm_set_msr_common.c
152
153
154
155
156
157
158
159
160
161
} case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break; case MSR_KVM_STEAL_TIME: if (unlikely(!sched_info_on())) return 1;
+ show +
162
163
164
165
166
167
168
169
170
171
172
if (data & KVM_STEAL_RESERVED_MASK) return 1; if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime, data & KVM_STEAL_VALID_BITS, sizeof(struct kvm_steal_time))) return 1; vcpu->arch.st.msr_val = data; if (!(data & KVM_MSR_ENABLED))
+ show +
173
174
175
176
177
178
179
180
181
182
break; kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); break; case MSR_KVM_PV_EOI_EN: if (kvm_lapic_enable_pv_eoi(vcpu, data, sizeof(u8))) return 1; break;
.\cloneFuncs\totalClone\Type-3\CVE-2013-1796_after_1mo_1367790451_kvm_set_msr_common.c
96
97
98
99
100
101
102
103
104
105
} case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break; case MSR_KVM_STEAL_TIME: if (unlikely(!sched_info_on())) return 1;
+ show +
106
107
108
109
110
111
112
113
114
115
116
if (data & KVM_STEAL_RESERVED_MASK) return 1; if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime, data & KVM_STEAL_VALID_BITS, sizeof(struct kvm_steal_time))) return 1; vcpu->arch.st.msr_val = data; if (!(data & KVM_MSR_ENABLED))
+ show +
117
118
119
120
121
122
123
124
125
126
break; vcpu->arch.st.last_steal = current->sched_info.run_delay; preempt_disable(); accumulate_steal_time(vcpu); preempt_enable(); kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu);
.\cloneFuncs\totalClone\Type-3\CVE-2013-1796_after_6mo_1380109987_kvm_set_msr_common.c
96
97
98
99
100
101
102
103
104
105
} case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break; case MSR_KVM_STEAL_TIME: if (unlikely(!sched_info_on())) return 1;
+ show +
106
107
108
109
110
111
112
113
114
115
116
if (data & KVM_STEAL_RESERVED_MASK) return 1; if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime, data & KVM_STEAL_VALID_BITS, sizeof(struct kvm_steal_time))) return 1; vcpu->arch.st.msr_val = data; if (!(data & KVM_MSR_ENABLED))
+ show +
117
118
119
120
121
122
123
124
125
126
break; vcpu->arch.st.last_steal = current->sched_info.run_delay; preempt_disable(); accumulate_steal_time(vcpu); preempt_enable(); kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu);
.\cloneFuncs\totalClone\Type-3\CVE-2019-3016_before_1mo_1572895560_kvm_set_msr_common.c
138
139
140
141
142
143
144
145
146
147
} case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break; case MSR_KVM_STEAL_TIME: if (unlikely(!sched_info_on())) return 1;
+ show +
148
149
150
151
152
153
154
155
156
157
158
if (data & KVM_STEAL_RESERVED_MASK) return 1; if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime, data & KVM_STEAL_VALID_BITS, sizeof(struct kvm_steal_time))) return 1; vcpu->arch.st.msr_val = data; if (!(data & KVM_MSR_ENABLED))
+ show +
159
160
161
162
163
164
165
166
167
168
break; kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); break; case MSR_KVM_PV_EOI_EN: if (kvm_lapic_enable_pv_eoi(vcpu, data, sizeof(u8))) return 1; break;
.\cloneFuncs\totalClone\Type-3\CVE-2019-3016_before_6mo_1546564468_kvm_set_msr_common.c
138
139
140
141
142
143
144
145
146
147
} case MSR_KVM_ASYNC_PF_EN: if (kvm_pv_enable_async_pf(vcpu, data)) return 1; break; case MSR_KVM_STEAL_TIME: if (unlikely(!sched_info_on())) return 1;
+ show +
148
149
150
151
152
153
154
155
156
157
158
if (data & KVM_STEAL_RESERVED_MASK) return 1; if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime, data & KVM_STEAL_VALID_BITS, sizeof(struct kvm_steal_time))) return 1; vcpu->arch.st.msr_val = data; if (!(data & KVM_MSR_ENABLED))
+ show +
159
160
161
162
163
164
165
166
167
168
break; kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); break; case MSR_KVM_PV_EOI_EN: if (kvm_lapic_enable_pv_eoi(vcpu, data, sizeof(u8))) return 1; break;

[linux_CVE-2019-3016_1575646572_kvm_steal_time_set_preempted.diff] kvm_steal_time_set_preempted_OLD.c #1
if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) return; - if (vcpu->arch.st.steal.preempted) + if (vcpu->arch.st.preempted) return; if (kvm_map_gfn(vcpu, vcpu->arch.st.msr_val >> PAGE_SHIFT, &map,
.\cloneFuncs\totalClone\Type-1\CVE-2019-3016_before_imd_1575517532_kvm_steal_time_set_preempted.c
1
2
3
4
5
static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu) { struct kvm_host_map map; struct kvm_steal_time *st;
+ show +
6
7
8
9
10
11
12
if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) return; if (vcpu->arch.st.steal.preempted) return; if (kvm_map_gfn(vcpu, vcpu->arch.st.msr_val >> PAGE_SHIFT, &map,
+ show +
13
14
15
16
17
18
19
20
21
22
&vcpu->arch.st.cache, true)) return; st = map.hva + offset_in_page(vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS); st->preempted = vcpu->arch.st.steal.preempted = KVM_VCPU_PREEMPTED; kvm_unmap_gfn(vcpu, &map, &vcpu->arch.st.cache, true, true); }

[linux_CVE-2019-3016_1575646572_record_steal_time.diff] record_steal_time_OLD.c #1
if (xchg(&st->preempted, 0) & KVM_VCPU_FLUSH_TLB) kvm_vcpu_flush_tlb(vcpu, false); - vcpu->arch.st.steal.preempted = 0; + vcpu->arch.st.preempted = 0; if (st->version & 1) st->version += 1; /* first time write, random junk */
.\cloneFuncs\totalClone\Type-1\CVE-2019-3016_before_imd_1575517532_record_steal_time.c
13
14
15
16
17
18
19
20
21
22
st = map.hva + offset_in_page(vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS); /* * Doing a TLB flush here, on the guest's behalf, can avoid * expensive IPIs. */ trace_kvm_pv_tlb_flush(vcpu->vcpu_id, st->preempted & KVM_VCPU_FLUSH_TLB);
+ show +
23
24
25
26
27
28
29
if (xchg(&st->preempted, 0) & KVM_VCPU_FLUSH_TLB) kvm_vcpu_flush_tlb(vcpu, false); vcpu->arch.st.steal.preempted = 0; if (st->version & 1) st->version += 1; /* first time write, random junk */
+ show +
30
31
32
33
34
35
36
37
38
39
st->version += 1; smp_wmb(); st->steal += current->sched_info.run_delay - vcpu->arch.st.last_steal; vcpu->arch.st.last_steal = current->sched_info.run_delay; smp_wmb();

[linux_CVE-2019-3701_1546613726_can_can_gw_rcv.diff] can_can_gw_rcv_OLD.c #1
while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx]) (*gwj->mod.modfunc[modidx++])(cf, &gwj->mod); - /* check for checksum updates when the CAN frame has been modified */ + /* Has the CAN frame been modified? */ if (modidx) { - if (gwj->mod.csumfunc.crc8) + /* get available space for the processed CAN frame type */ + int max_len = nskb->len - offsetof(struct can_frame, data); + + /* dlc may have changed, make sure it fits to the CAN frame */ + if (cf->can_dlc > max_len) + goto out_delete; + + /* check for checksum updates in classic CAN length only */ + if (gwj->mod.csumfunc.crc8) { + if (cf->can_dlc > 8) + goto out_delete; + (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8); + } + + if (gwj->mod.csumfunc.xor) { + if (cf->can_dlc > 8) + goto out_delete; - if (gwj->mod.csumfunc.xor) (*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor); + } } /* clear the skb timestamp if not configured the other way */
.\cloneFuncs\totalClone\Type-1\CVE-2019-3701_before_1mo_1521845678_can_can_gw_rcv.c
59
60
61
62
63
64
65
66
67
68
/* first processing of this CAN frame -> adjust to private hop limit */ if (gwj->limit_hops && cgw_hops(nskb) == 1) cgw_hops(nskb) = max_hops - gwj->limit_hops + 1; nskb->dev = gwj->dst.dev; /* pointer to modifiable CAN frame */ cf = (struct can_frame *)nskb->data; /* perform preprocessed modification functions if there are any */
+ show +
69
70
71
72
73
74
75
76
77
78
79
80
81
while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx]) (*gwj->mod.modfunc[modidx++])(cf, &gwj->mod); /* check for checksum updates when the CAN frame has been modified */ if (modidx) { if (gwj->mod.csumfunc.crc8) (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8); if (gwj->mod.csumfunc.xor) (*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor); } /* clear the skb timestamp if not configured the other way */
+ show +
82
83
84
85
86
87
88
89
90
if (!(gwj->flags & CGW_FLAGS_CAN_SRC_TSTAMP)) nskb->tstamp = 0; /* send to netdevice */ if (can_send(nskb, gwj->flags & CGW_FLAGS_CAN_ECHO)) gwj->dropped_frames++; else gwj->handled_frames++; }

[linux_CVE-2019-3819_1548759515_hid_debug_events_open.diff] hid_debug_events_open_OLD.c #1
goto out; } - if (!(list->hid_debug_buf = kzalloc(HID_DEBUG_BUFSIZE, GFP_KERNEL))) { - err = -ENOMEM; + err = kfifo_alloc(&list->hid_debug_fifo, HID_DEBUG_FIFOSIZE, GFP_KERNEL); + if (err) { kfree(list); goto out; }
.\cloneFuncs\totalClone\Type-1\CVE-2019-3819_before_1mo_1531181771_hid_debug_events_open.c
1
2
3
4
5
6
7
8
static int hid_debug_events_open(struct inode *inode, struct file *file) { int err = 0; struct hid_debug_list *list; unsigned long flags; if (!(list = kzalloc(sizeof(struct hid_debug_list), GFP_KERNEL))) { err = -ENOMEM;
+ show +
9
10
11
12
13
14
15
16
goto out; } if (!(list->hid_debug_buf = kzalloc(HID_DEBUG_BUFSIZE, GFP_KERNEL))) { err = -ENOMEM; kfree(list); goto out; }
+ show +
17
18
19
20
21
22
23
24
25
26
list->hdev = (struct hid_device *) inode->i_private; file->private_data = list; mutex_init(&list->read_mutex); spin_lock_irqsave(&list->hdev->debug_list_lock, flags); list_add_tail(&list->node, &list->hdev->debug_list); spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags); out: return err;

[linux_CVE-2019-3846_1559134339_mwifiex_update_bss_desc_with_ie.diff] mwifiex_update_bss_desc_with_ie_OLD.c #1
} switch (element_id) { case WLAN_EID_SSID: + if (element_len > IEEE80211_MAX_SSID_LEN) + return -EINVAL; bss_entry->ssid.ssid_len = element_len; memcpy(bss_entry->ssid.ssid, (current_ptr + 2), element_len);
.\cloneFuncs\totalClone\Type-1\CVE-2019-3846_before_1mo_1531484795_mwifiex_update_bss_desc_with_ie.c
28
29
30
31
32
33
34
35
36
37
while (bytes_left >= 2) { element_id = *current_ptr; element_len = *(current_ptr + 1); total_ie_len = element_len + sizeof(struct ieee_types_header); if (bytes_left < total_ie_len) { mwifiex_dbg(adapter, ERROR, "err: InterpretIE: in processing\t" "IE, bytes left < IE length\n"); return -1;
+ show +
38
39
40
41
42
43
} switch (element_id) { case WLAN_EID_SSID: bss_entry->ssid.ssid_len = element_len; memcpy(bss_entry->ssid.ssid, (current_ptr + 2), element_len);
+ show +
44
45
46
47
48
49
50
51
52
53
mwifiex_dbg(adapter, INFO, "info: InterpretIE: ssid: %-32s\n", bss_entry->ssid.ssid); break; case WLAN_EID_SUPP_RATES: memcpy(bss_entry->data_rates, current_ptr + 2, element_len); memcpy(bss_entry->supported_rates, current_ptr + 2, element_len);

[linux_CVE-2019-3846_1559134339_mwifiex_update_bss_desc_with_ie.diff] mwifiex_update_bss_desc_with_ie_OLD.c #2
break; case WLAN_EID_SUPP_RATES: + if (element_len > MWIFIEX_SUPPORTED_RATES) + return -EINVAL; memcpy(bss_entry->data_rates, current_ptr + 2, element_len); memcpy(bss_entry->supported_rates, current_ptr + 2,
.\cloneFuncs\totalClone\Type-1\CVE-2019-3846_before_1mo_1531484795_mwifiex_update_bss_desc_with_ie.c
37
38
39
40
41
42
43
44
45
46
return -1; } switch (element_id) { case WLAN_EID_SSID: bss_entry->ssid.ssid_len = element_len; memcpy(bss_entry->ssid.ssid, (current_ptr + 2), element_len); mwifiex_dbg(adapter, INFO, "info: InterpretIE: ssid: %-32s\n", bss_entry->ssid.ssid);
+ show +
47
48
49
50
51
52
break; case WLAN_EID_SUPP_RATES: memcpy(bss_entry->data_rates, current_ptr + 2, element_len); memcpy(bss_entry->supported_rates, current_ptr + 2,
+ show +
53
54
55
56
57
58
59
60
61
62
element_len); rate_size = element_len; found_data_rate_ie = true; break; case WLAN_EID_FH_PARAMS: fh_param_set = (struct ieee_types_fh_param_set *) current_ptr; memcpy(&bss_entry->phy_param_set.fh_param_set, fh_param_set,

[linux_CVE-2019-3882_1554316581_vfio_dma_do_map.diff] vfio_dma_do_map_OLD.c #1
goto out_unlock; } + if (!iommu->dma_avail) { + ret = -ENOSPC; + goto out_unlock; + } + dma = kzalloc(sizeof(*dma), GFP_KERNEL); if (!dma) { ret = -ENOMEM; goto out_unlock; } + iommu->dma_avail--; dma->iova = iova; dma->vaddr = vaddr; dma->prot = prot;
.\cloneFuncs\totalClone\Type-1\CVE-2019-3882_before_1mo_1541761632_vfio_dma_do_map.c
26
27
28
29
30
31
32
33
34
35
return -EINVAL; /* Don't allow IOVA or virtual address wrap */ if (iova + size - 1 < iova || vaddr + size - 1 < vaddr) return -EINVAL; mutex_lock(&iommu->lock); if (vfio_find_dma(iommu, iova, size)) { ret = -EEXIST;
+ show +
36
37
38
39
40
41
42
43
44
45
46
47
goto out_unlock; } dma = kzalloc(sizeof(*dma), GFP_KERNEL); if (!dma) { ret = -ENOMEM; goto out_unlock; } dma->iova = iova; dma->vaddr = vaddr; dma->prot = prot;
+ show +
48
49
50
51
52
53
54
55
56
57
/* * We need to be able to both add to a task's locked memory and test * against the locked memory limit and we need to be able to do both * outside of this call path as pinning can be asynchronous via the * external interfaces for mdev devices. RLIMIT_MEMLOCK requires a * task_struct and VM locked pages requires an mm_struct, however * holding an indefinite mm reference is not recommended, therefore we * only hold a reference to a task. We could hold a reference to * current, however QEMU uses this call path through vCPU threads,

[linux_CVE-2019-3882_1554316581_vfio_iommu_type1_open.diff] vfio_iommu_type1_open_OLD.c #1
INIT_LIST_HEAD(&iommu->domain_list); iommu->dma_list = RB_ROOT; + iommu->dma_avail = dma_entry_limit; mutex_init(&iommu->lock); BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier);
.\cloneFuncs\totalClone\Type-1\CVE-2019-3882_before_1mo_1541761632_vfio_iommu_type1_open.c
13
14
15
16
17
18
19
20
21
22
iommu->nesting = true; /* fall through */ case VFIO_TYPE1v2_IOMMU: iommu->v2 = true; break; default: kfree(iommu); return ERR_PTR(-EINVAL); }
+ show +
23
24
25
26
INIT_LIST_HEAD(&iommu->domain_list); iommu->dma_list = RB_ROOT; mutex_init(&iommu->lock); BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier);
+ show +
27
28
29
return iommu; }

[linux_CVE-2019-3900_1558067392_vhost_scsi_ctl_handle_vq.diff] vhost_scsi_ctl_handle_vq_OLD.c #1
} v_req; struct vhost_scsi_ctx vc; size_t typ_size; - int ret; + int ret, c = 0; mutex_lock(&vq->mutex); /*
.\cloneFuncs\totalClone\Type-1\CVE-2019-3900_before_1mo_1552179227_vhost_scsi_ctl_handle_vq.c
1
2
3
4
5
6
7
static void vhost_scsi_ctl_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) { union { __virtio32 type; struct virtio_scsi_ctrl_an_req an; struct virtio_scsi_ctrl_tmf_req tmf;
+ show +
8
9
10
11
12
13
14
} v_req; struct vhost_scsi_ctx vc; size_t typ_size; int ret; mutex_lock(&vq->mutex); /*
+ show +
15
16
17
18
19
20
21
22
23
24
* We can handle the vq only after the endpoint is setup by calling the * VHOST_SCSI_SET_ENDPOINT ioctl. */ if (!vq->private_data) goto out; memset(&vc, 0, sizeof(vc)); vhost_disable_notify(&vs->dev, vq);

[linux_CVE-2019-3900_1558067392_vhost_scsi_ctl_handle_vq.diff] vhost_scsi_ctl_handle_vq_OLD.c #2
vhost_disable_notify(&vs->dev, vq); - for (;;) { + do { ret = vhost_scsi_get_desc(vs, vq, &vc); if (ret) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2019-3900_before_1mo_1552179227_vhost_scsi_ctl_handle_vq.c
13
14
15
16
17
18
19
20
21
22
mutex_lock(&vq->mutex); /* * We can handle the vq only after the endpoint is setup by calling the * VHOST_SCSI_SET_ENDPOINT ioctl. */ if (!vq->private_data) goto out; memset(&vc, 0, sizeof(vc));
+ show +
23
24
25
26
27
28
vhost_disable_notify(&vs->dev, vq); for (;;) { ret = vhost_scsi_get_desc(vs, vq, &vc); if (ret) goto err;
+ show +
29
30
31
32
33
34
35
36
37
38
/* * Get the request type first in order to setup * other parameters dependent on the type. */ vc.req = &v_req.type; typ_size = sizeof(v_req.type); if (unlikely(!copy_from_iter_full(vc.req, typ_size, &vc.out_iter))) {
.\cloneFuncs\totalClone\Type-1\CVE-2019-3900_before_1mo_1552179227_vhost_scsi_handle_vq.c
20
21
22
23
24
25
26
27
28
29
* We can handle the vq only after the endpoint is setup by calling the * VHOST_SCSI_SET_ENDPOINT ioctl. */ vs_tpg = vq->private_data; if (!vs_tpg) goto out; memset(&vc, 0, sizeof(vc)); vc.rsp_size = sizeof(struct virtio_scsi_cmd_resp);
+ show +
30
31
32
33
34
35
vhost_disable_notify(&vs->dev, vq); for (;;) { ret = vhost_scsi_get_desc(vs, vq, &vc); if (ret) goto err;
+ show +
36
37
38
39
40
41
42
43
44
45
/* * Setup pointers and values based upon different virtio-scsi * request header if T10_PI is enabled in KVM guest. */ if (t10_pi) { vc.req = &v_req_pi; vc.req_size = sizeof(v_req_pi); vc.lunp = &v_req_pi.lun[0]; vc.target = &v_req_pi.lun[1];

[linux_CVE-2019-3900_1558067392_vhost_scsi_handle_vq.diff] vhost_scsi_handle_vq_OLD.c #2
vhost_disable_notify(&vs->dev, vq); - for (;;) { + do { ret = vhost_scsi_get_desc(vs, vq, &vc); if (ret) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2019-3900_before_1mo_1552179227_vhost_scsi_ctl_handle_vq.c
13
14
15
16
17
18
19
20
21
22
mutex_lock(&vq->mutex); /* * We can handle the vq only after the endpoint is setup by calling the * VHOST_SCSI_SET_ENDPOINT ioctl. */ if (!vq->private_data) goto out; memset(&vc, 0, sizeof(vc));
+ show +
23
24
25
26
27
28
vhost_disable_notify(&vs->dev, vq); for (;;) { ret = vhost_scsi_get_desc(vs, vq, &vc); if (ret) goto err;
+ show +
29
30
31
32
33
34
35
36
37
38
/* * Get the request type first in order to setup * other parameters dependent on the type. */ vc.req = &v_req.type; typ_size = sizeof(v_req.type); if (unlikely(!copy_from_iter_full(vc.req, typ_size, &vc.out_iter))) {
.\cloneFuncs\totalClone\Type-1\CVE-2019-3900_before_1mo_1552179227_vhost_scsi_handle_vq.c
20
21
22
23
24
25
26
27
28
29
* We can handle the vq only after the endpoint is setup by calling the * VHOST_SCSI_SET_ENDPOINT ioctl. */ vs_tpg = vq->private_data; if (!vs_tpg) goto out; memset(&vc, 0, sizeof(vc)); vc.rsp_size = sizeof(struct virtio_scsi_cmd_resp);
+ show +
30
31
32
33
34
35
vhost_disable_notify(&vs->dev, vq); for (;;) { ret = vhost_scsi_get_desc(vs, vq, &vc); if (ret) goto err;
+ show +
36
37
38
39
40
41
42
43
44
45
/* * Setup pointers and values based upon different virtio-scsi * request header if T10_PI is enabled in KVM guest. */ if (t10_pi) { vc.req = &v_req_pi; vc.req_size = sizeof(v_req_pi); vc.lunp = &v_req_pi.lun[0]; vc.target = &v_req_pi.lun[1];

[linux_CVE-2019-3900_1558067392_vhost_scsi_handle_vq.diff] vhost_scsi_handle_vq_OLD.c #1
struct iov_iter in_iter, prot_iter, data_iter; u64 tag; u32 exp_data_len, data_direction; - int ret, prot_bytes; + int ret, prot_bytes, c = 0; u16 lun; u8 task_attr; bool t10_pi = vhost_has_feature(vq, VIRTIO_SCSI_F_T10_PI);
.\cloneFuncs\totalClone\Type-1\CVE-2019-3900_before_1mo_1552179227_vhost_scsi_handle_vq.c
1
2
3
4
5
6
7
8
static void vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) { struct vhost_scsi_tpg **vs_tpg, *tpg; struct virtio_scsi_cmd_req v_req; struct virtio_scsi_cmd_req_pi v_req_pi; struct vhost_scsi_ctx vc; struct vhost_scsi_cmd *cmd;
+ show +
9
10
11
12
13
14
15
struct iov_iter in_iter, prot_iter, data_iter; u64 tag; u32 exp_data_len, data_direction; int ret, prot_bytes; u16 lun; u8 task_attr; bool t10_pi = vhost_has_feature(vq, VIRTIO_SCSI_F_T10_PI);
+ show +
16
17
18
19
20
21
22
23
24
25
void *cdb; mutex_lock(&vq->mutex); /* * We can handle the vq only after the endpoint is setup by calling the * VHOST_SCSI_SET_ENDPOINT ioctl. */ vs_tpg = vq->private_data; if (!vs_tpg) goto out;

[linux_CVE-2019-6974_1548464073_kvm_ioctl_create_device.diff] kvm_ioctl_create_device_OLD.c #1
if (ops->init) ops->init(dev); + kvm_get_kvm(kvm); ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); if (ret < 0) { + kvm_put_kvm(kvm); mutex_lock(&kvm->lock); list_del(&dev->vm_node); mutex_unlock(&kvm->lock);
.\cloneFuncs\totalClone\Type-1\CVE-2019-6974_before_1mo_1544102471_kvm_ioctl_create_device.c
26
27
28
29
30
31
32
33
34
35
mutex_lock(&kvm->lock); ret = ops->create(dev, cd->type); if (ret < 0) { mutex_unlock(&kvm->lock); kfree(dev); return ret; } list_add(&dev->vm_node, &kvm->devices); mutex_unlock(&kvm->lock);
+ show +
36
37
38
39
40
41
42
43
if (ops->init) ops->init(dev); ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); if (ret < 0) { mutex_lock(&kvm->lock); list_del(&dev->vm_node); mutex_unlock(&kvm->lock);
+ show +
44
45
46
47
48
49
50
51
ops->destroy(dev); return ret; } kvm_get_kvm(kvm); cd->fd = ret; return 0; }

[linux_CVE-2019-7221_1539283606_free_nested.diff] free_nested_OLD.c #1
if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) return; + hrtimer_cancel(&vmx->nested.preemption_timer); vmx->nested.vmxon = false; vmx->nested.smm.vmxon = false; free_vpid(vmx->nested.vpid02);
.\cloneFuncs\totalClone\Type-1\CVE-2019-7221_before_imd_1548055625_free_nested.c
1
2
3
4
static void free_nested(struct kvm_vcpu *vcpu) { struct vcpu_vmx *vmx = to_vmx(vcpu);
+ show +
5
6
7
8
9
10
if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) return; vmx->nested.vmxon = false; vmx->nested.smm.vmxon = false; free_vpid(vmx->nested.vpid02);
+ show +
11
12
13
14
15
16
17
18
19
20
vmx->nested.posted_intr_nv = -1; vmx->nested.current_vmptr = -1ull; if (enable_shadow_vmcs) { vmx_disable_shadow_vmcs(vmx); vmcs_clear(vmx->vmcs01.shadow_vmcs); free_vmcs(vmx->vmcs01.shadow_vmcs); vmx->vmcs01.shadow_vmcs = NULL; } kfree(vmx->nested.cached_vmcs12); kfree(vmx->nested.cached_shadow_vmcs12);

[xen_CVE-2020-0543_1578512866_parse_spec_ctrl.diff] parse_spec_ctrl_OLD.c #1
opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_srb_lock = 0; } else if ( val > 0 ) rc = -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2020-0543_before_imd_1578512866_parse_spec_ctrl.c
35
36
37
38
39
40
41
42
43
44
disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; opt_md_clear_pv = 0; opt_md_clear_hvm = 0; opt_thunk = THUNK_JMP; opt_ibrs = 0; opt_ibpb = false;
+ show +
45
46
47
48
49
50
opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; } else if ( val > 0 ) rc = -EINVAL;
+ show +
51
52
53
54
55
56
57
58
59
60
else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) { if ( !val ) goto disable_common; rc = -EINVAL; } /* Xen's alternative blocks. */ else if ( (val = parse_boolean("pv", s, ss)) >= 0 )

[linux_CVE-2020-10757_1591266127_move_page_tables.diff] move_page_tables_OLD.c #1
new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr); if (!new_pmd) break; - if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { + if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) { if (extent == HPAGE_PMD_SIZE) { bool moved; /* See comment in move_ptes() */
.\cloneFuncs\totalClone\Type-1\CVE-2020-10757_before_1mo_1587144356_move_page_tables.c
17
18
19
20
21
22
23
24
25
26
for (; old_addr < old_end; old_addr += extent, new_addr += extent) { cond_resched(); next = (old_addr + PMD_SIZE) & PMD_MASK; /* even if next overflowed, extent below will be ok */ extent = next - old_addr; if (extent > old_end - old_addr) extent = old_end - old_addr; old_pmd = get_old_pmd(vma->vm_mm, old_addr); if (!old_pmd) continue;
+ show +
27
28
29
30
31
32
33
new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr); if (!new_pmd) break; if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { if (extent == HPAGE_PMD_SIZE) { bool moved; /* See comment in move_ptes() */
+ show +
34
35
36
37
38
39
40
41
42
43
if (need_rmap_locks) take_rmap_locks(vma); moved = move_huge_pmd(vma, old_addr, new_addr, old_end, old_pmd, new_pmd); if (need_rmap_locks) drop_rmap_locks(vma); if (moved) continue; } split_huge_pmd(vma, old_pmd, old_addr);

[qemu_CVE-2020-10761_1591640797_nbd_negotiate_handle_info.diff] nbd_negotiate_handle_info_OLD.c #1
exp = nbd_export_find(name); if (!exp) { + g_autofree char *sane_name = nbd_sanitize_name(name); + return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, errp, "export '%s' not present", - name); + sane_name); } /* Don't bother sending NBD_INFO_NAME unless client requested it */
.\cloneFuncs\totalClone\Type-1\CVE-2020-10761_before_1mo_1580901639_nbd_negotiate_handle_info.c
48
49
50
51
52
53
54
55
56
57
break; case NBD_INFO_BLOCK_SIZE: blocksize = true; break; } } if (client->optlen) { return nbd_reject_length(client, false, errp); }
+ show +
58
59
60
61
62
63
64
65
exp = nbd_export_find(name); if (!exp) { return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, errp, "export '%s' not present", name); } /* Don't bother sending NBD_INFO_NAME unless client requested it */
+ show +
66
67
68
69
70
71
72
73
74
75
if (sendname) { rc = nbd_negotiate_send_info(client, NBD_INFO_NAME, namelen, name, errp); if (rc < 0) { return rc; } } /* Send NBD_INFO_DESCRIPTION only if available, regardless of * client request */
.\cloneFuncs\totalClone\Type-3\CVE-2017-15118_after_6mo_1529585377_nbd_negotiate_handle_info.c
47
48
49
50
51
52
53
54
55
56
break; case NBD_INFO_BLOCK_SIZE: blocksize = true; break; } } if (client->optlen) { return nbd_reject_length(client, false, errp); }
+ show +
57
58
59
60
61
62
63
64
exp = nbd_export_find(name); if (!exp) { return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, errp, "export '%s' not present", name); } /* Don't bother sending NBD_INFO_NAME unless client requested it */
+ show +
65
66
67
68
69
70
71
72
73
74
if (sendname) { rc = nbd_negotiate_send_info(client, NBD_INFO_NAME, namelen, name, errp); if (rc < 0) { return rc; } } /* Send NBD_INFO_DESCRIPTION only if available, regardless of * client request */

[qemu_CVE-2020-10761_1591640797_nbd_negotiate_meta_queries.diff] nbd_negotiate_meta_queries_OLD.c #1
meta->exp = nbd_export_find(export_name); if (meta->exp == NULL) { + g_autofree char *sane_name = nbd_sanitize_name(export_name); + return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp, - "export '%s' not present", export_name); + "export '%s' not present", sane_name); } ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp);
.\cloneFuncs\totalClone\Type-1\CVE-2020-10761_before_1mo_1580901639_nbd_negotiate_meta_queries.c
19
20
21
22
23
24
25
26
27
28
meta = &local_meta; } memset(meta, 0, sizeof(*meta)); ret = nbd_opt_read_name(client, &export_name, NULL, errp); if (ret <= 0) { return ret; }
+ show +
29
30
31
32
33
34
35
meta->exp = nbd_export_find(export_name); if (meta->exp == NULL) { return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp, "export '%s' not present", export_name); } ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp);
+ show +
36
37
38
39
40
41
42
43
44
45
if (ret <= 0) { return ret; } nb_queries = cpu_to_be32(nb_queries); trace_nbd_negotiate_meta_context(nbd_opt_lookup(client->opt), export_name, nb_queries); if (client->opt == NBD_OPT_LIST_META_CONTEXT && !nb_queries) { /* enable all known contexts */ meta->base_allocation = true;

[qemu_CVE-2020-10761_1591640797_nbd_negotiate_send_rep_verr.diff] nbd_negotiate_send_rep_verr_OLD.c #1
msg = g_strdup_vprintf(fmt, va); len = strlen(msg); - assert(len < 4096); + assert(len < NBD_MAX_STRING_SIZE); trace_nbd_negotiate_send_rep_err(msg); ret = nbd_negotiate_send_rep_len(client, type, len, errp); if (ret < 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2020-10761_before_1mo_1580901639_nbd_negotiate_send_rep_verr.c
1
2
3
4
5
6
7
nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, Error **errp, const char *fmt, va_list va) { g_autofree char *msg = NULL; int ret; size_t len;
+ show +
8
9
10
11
12
13
msg = g_strdup_vprintf(fmt, va); len = strlen(msg); assert(len < 4096); trace_nbd_negotiate_send_rep_err(msg); ret = nbd_negotiate_send_rep_len(client, type, len, errp); if (ret < 0) {
+ show +
14
15
16
17
18
19
20
21
22
return ret; } if (nbd_write(client->ioc, msg, len, errp) < 0) { error_prepend(errp, "write failed (error message): "); return -EIO; } return 0; }

[linux_CVE-2020-12888_1587584891_vfio_pci_bar_rw.diff] vfio_pci_bar_rw_OLD.c #1
size_t x_start = 0, x_end = 0; resource_size_t end; void __iomem *io; + struct resource *res = &vdev->pdev->resource[bar]; ssize_t done; if (pci_resource_start(pdev, bar))
.\cloneFuncs\totalClone\Type-1\CVE-2020-12888_before_1mo_1559635893_vfio_pci_bar_rw.c
1
2
3
4
5
6
ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, size_t count, loff_t *ppos, bool iswrite) { struct pci_dev *pdev = vdev->pdev; loff_t pos = *ppos & VFIO_PCI_OFFSET_MASK; int bar = VFIO_PCI_OFFSET_TO_INDEX(*ppos);
+ show +
7
8
9
10
11
12
size_t x_start = 0, x_end = 0; resource_size_t end; void __iomem *io; ssize_t done; if (pci_resource_start(pdev, bar))
+ show +
13
14
15
16
17
18
19
20
21
22
end = pci_resource_len(pdev, bar); else if (bar == PCI_ROM_RESOURCE && pdev->resource[bar].flags & IORESOURCE_ROM_SHADOW) end = 0x20000; else return -EINVAL; if (pos >= end) return -EINVAL;

[linux_CVE-2020-12888_1587584891_vfio_pci_bar_rw.diff] vfio_pci_bar_rw_OLD.c #2
count = min(count, (size_t)(end - pos)); + if (res->flags & IORESOURCE_MEM) { + down_read(&vdev->memory_lock); + if (!__vfio_pci_memory_enabled(vdev)) { + up_read(&vdev->memory_lock); + return -EIO; + } + } + if (bar == PCI_ROM_RESOURCE) { /* * The ROM can fill less space than the BAR, so we start the
.\cloneFuncs\totalClone\Type-1\CVE-2020-12888_before_1mo_1559635893_vfio_pci_bar_rw.c
13
14
15
16
17
18
19
20
21
22
end = pci_resource_len(pdev, bar); else if (bar == PCI_ROM_RESOURCE && pdev->resource[bar].flags & IORESOURCE_ROM_SHADOW) end = 0x20000; else return -EINVAL; if (pos >= end) return -EINVAL;
+ show +
23
24
25
26
27
count = min(count, (size_t)(end - pos)); if (bar == PCI_ROM_RESOURCE) { /* * The ROM can fill less space than the BAR, so we start the
+ show +
28
29
30
31
32
33
34
35
36
37
* excluded range at the end of the actual ROM. This makes * filling large ROM BARs much faster. */ io = pci_map_rom(pdev, &x_start); if (!io) return -ENOMEM; x_end = end; } else { int ret = vfio_pci_setup_barmap(vdev, bar); if (ret)
.\cloneFuncs\totalClone\Type-3\CVE-2020-12888_after_1mo_1597896275_vfio_pci_bar_rw.c
14
15
16
17
18
19
20
21
22
23
end = pci_resource_len(pdev, bar); else if (bar == PCI_ROM_RESOURCE && pdev->resource[bar].flags & IORESOURCE_ROM_SHADOW) end = 0x20000; else return -EINVAL; if (pos >= end) return -EINVAL;
+ show +
24
25
26
27
28
count = min(count, (size_t)(end - pos)); if (bar == PCI_ROM_RESOURCE) { /* * The ROM can fill less space than the BAR, so we start the
+ show +
29
30
31
32
33
34
35
36
37
38
* excluded range at the end of the actual ROM. This makes * filling large ROM BARs much faster. */ io = pci_map_rom(pdev, &x_start); if (!io) { done = -ENOMEM; goto out; } x_end = end; } else {

[linux_CVE-2020-12888_1587584891_vfio_pci_bar_rw.diff] vfio_pci_bar_rw_OLD.c #3
* filling large ROM BARs much faster. */ io = pci_map_rom(pdev, &x_start); - if (!io) - return -ENOMEM; + if (!io) { + done = -ENOMEM; + goto out; + } x_end = end; } else { int ret = vfio_pci_setup_barmap(vdev, bar); - if (ret) - return ret; + if (ret) { + done = ret; + goto out; + } io = vdev->barmap[bar]; }
.\cloneFuncs\totalClone\Type-1\CVE-2020-12888_before_1mo_1559635893_vfio_pci_bar_rw.c
19
20
21
22
23
24
25
26
27
28
if (pos >= end) return -EINVAL; count = min(count, (size_t)(end - pos)); if (bar == PCI_ROM_RESOURCE) { /* * The ROM can fill less space than the BAR, so we start the * excluded range at the end of the actual ROM. This makes
+ show +
29
30
31
32
33
34
35
36
37
38
39
40
41
* filling large ROM BARs much faster. */ io = pci_map_rom(pdev, &x_start); if (!io) return -ENOMEM; x_end = end; } else { int ret = vfio_pci_setup_barmap(vdev, bar); if (ret) return ret; io = vdev->barmap[bar]; }
+ show +
42
43
44
45
46
47
48
49
50
51
if (bar == vdev->msix_bar) { x_start = vdev->msix_offset; x_end = vdev->msix_offset + vdev->msix_size; } done = do_io_rw(io, buf, pos, count, x_start, x_end, iswrite); if (done >= 0) *ppos += done;

[qemu_CVE-2020-13253_1591291349_sd_normal_command.diff] sd_normal_command_OLD.c #1
case 17: /* CMD17: READ_SINGLE_BLOCK */ switch (sd->state) { case sd_transfer_state: - sd->state = sd_sendingdata_state; - sd->data_start = addr; - sd->data_offset = 0; - if (sd->data_start + sd->blk_len > sd->size) { + if (addr + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; + return sd_r1; } + + sd->state = sd_sendingdata_state; + sd->data_start = addr; + sd->data_offset = 0; return sd_r1; default:
.\cloneFuncs\totalClone\Type-1\CVE-2020-13253_before_imd_1594625255_sd_normal_command.c
266
267
268
269
270
271
272
273
274
275
sd->blk_len = req.arg; } return sd_r1; default: break; } break;
+ show +
276
277
278
279
280
281
282
283
284
285
286
287
288
case 17: /* CMD17: READ_SINGLE_BLOCK */ switch (sd->state) { case sd_transfer_state: sd->state = sd_sendingdata_state; sd->data_start = addr; sd->data_offset = 0; if (sd->data_start + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; } return sd_r1; default:
+ show +
289
290
291
292
293
294
295
296
297
298
break; } break; case 18: /* CMD18: READ_MULTIPLE_BLOCK */ switch (sd->state) { case sd_transfer_state: sd->state = sd_sendingdata_state; sd->data_start = addr; sd->data_offset = 0;

[qemu_CVE-2020-13253_1591291349_sd_normal_command.diff] sd_normal_command_OLD.c #2
case 18: /* CMD18: READ_MULTIPLE_BLOCK */ switch (sd->state) { case sd_transfer_state: - sd->state = sd_sendingdata_state; - sd->data_start = addr; - sd->data_offset = 0; - if (sd->data_start + sd->blk_len > sd->size) { + if (addr + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; + return sd_r1; } + + sd->state = sd_sendingdata_state; + sd->data_start = addr; + sd->data_offset = 0; return sd_r1; default:
.\cloneFuncs\totalClone\Type-1\CVE-2020-13253_before_imd_1594625255_sd_normal_command.c
283
284
285
286
287
288
289
290
291
292
if (sd->data_start + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; } return sd_r1; default: break; } break;
+ show +
293
294
295
296
297
298
299
300
301
302
303
304
305
case 18: /* CMD18: READ_MULTIPLE_BLOCK */ switch (sd->state) { case sd_transfer_state: sd->state = sd_sendingdata_state; sd->data_start = addr; sd->data_offset = 0; if (sd->data_start + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; } return sd_r1; default:
+ show +
306
307
308
309
310
311
312
313
314
315
break; } break; case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { break; } if (sd->state == sd_transfer_state) { sd->state = sd_sendingdata_state;

[qemu_CVE-2020-13253_1591291349_sd_normal_command.diff] sd_normal_command_OLD.c #3
/* Writing in SPI mode not implemented. */ if (sd->spi) break; + + if (addr + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; + return sd_r1; + } + sd->state = sd_receivingdata_state; sd->data_start = addr; sd->data_offset = 0; sd->blk_written = 0; - if (sd->data_start + sd->blk_len > sd->size) { - sd->card_status |= ADDRESS_ERROR; - } if (sd_wp_addr(sd, sd->data_start)) { sd->card_status |= WP_VIOLATION; }
.\cloneFuncs\totalClone\Type-1\CVE-2020-13253_before_imd_1594625255_sd_normal_command.c
329
330
331
332
333
334
335
336
337
338
default: break; } break; /* Block write commands (Class 4) */ case 24: /* CMD24: WRITE_SINGLE_BLOCK */ switch (sd->state) { case sd_transfer_state:
+ show +
339
340
341
342
343
344
345
346
347
348
349
350
351
352
/* Writing in SPI mode not implemented. */ if (sd->spi) break; sd->state = sd_receivingdata_state; sd->data_start = addr; sd->data_offset = 0; sd->blk_written = 0; if (sd->data_start + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; } if (sd_wp_addr(sd, sd->data_start)) { sd->card_status |= WP_VIOLATION; }
+ show +
353
354
355
356
357
358
359
360
361
362
if (sd->csd[14] & 0x30) { sd->card_status |= WP_VIOLATION; } return sd_r1; default: break; } break;
.\cloneFuncs\totalClone\Type-1\CVE-2020-13253_before_imd_1594625255_sd_normal_command.c
356
357
358
359
360
361
362
363
364
365
return sd_r1; default: break; } break; case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ switch (sd->state) { case sd_transfer_state:
+ show +
366
367
368
369
370
371
372
373
374
375
376
377
378
379
/* Writing in SPI mode not implemented. */ if (sd->spi) break; sd->state = sd_receivingdata_state; sd->data_start = addr; sd->data_offset = 0; sd->blk_written = 0; if (sd->data_start + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; } if (sd_wp_addr(sd, sd->data_start)) { sd->card_status |= WP_VIOLATION; }
+ show +
380
381
382
383
384
385
386
387
388
389
if (sd->csd[14] & 0x30) { sd->card_status |= WP_VIOLATION; } return sd_r1; default: break; } break;

[qemu_CVE-2020-13253_1591291349_sd_normal_command.diff] sd_normal_command_OLD.c #4
/* Writing in SPI mode not implemented. */ if (sd->spi) break; + + if (addr + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; + return sd_r1; + } + sd->state = sd_receivingdata_state; sd->data_start = addr; sd->data_offset = 0; sd->blk_written = 0; - if (sd->data_start + sd->blk_len > sd->size) { - sd->card_status |= ADDRESS_ERROR; - } if (sd_wp_addr(sd, sd->data_start)) { sd->card_status |= WP_VIOLATION; }
.\cloneFuncs\totalClone\Type-1\CVE-2020-13253_before_imd_1594625255_sd_normal_command.c
329
330
331
332
333
334
335
336
337
338
default: break; } break; /* Block write commands (Class 4) */ case 24: /* CMD24: WRITE_SINGLE_BLOCK */ switch (sd->state) { case sd_transfer_state:
+ show +
339
340
341
342
343
344
345
346
347
348
349
350
351
352
/* Writing in SPI mode not implemented. */ if (sd->spi) break; sd->state = sd_receivingdata_state; sd->data_start = addr; sd->data_offset = 0; sd->blk_written = 0; if (sd->data_start + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; } if (sd_wp_addr(sd, sd->data_start)) { sd->card_status |= WP_VIOLATION; }
+ show +
353
354
355
356
357
358
359
360
361
362
if (sd->csd[14] & 0x30) { sd->card_status |= WP_VIOLATION; } return sd_r1; default: break; } break;
.\cloneFuncs\totalClone\Type-1\CVE-2020-13253_before_imd_1594625255_sd_normal_command.c
356
357
358
359
360
361
362
363
364
365
return sd_r1; default: break; } break; case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ switch (sd->state) { case sd_transfer_state:
+ show +
366
367
368
369
370
371
372
373
374
375
376
377
378
379
/* Writing in SPI mode not implemented. */ if (sd->spi) break; sd->state = sd_receivingdata_state; sd->data_start = addr; sd->data_offset = 0; sd->blk_written = 0; if (sd->data_start + sd->blk_len > sd->size) { sd->card_status |= ADDRESS_ERROR; } if (sd_wp_addr(sd, sd->data_start)) { sd->card_status |= WP_VIOLATION; }
+ show +
380
381
382
383
384
385
386
387
388
389
if (sd->csd[14] & 0x30) { sd->card_status |= WP_VIOLATION; } return sd_r1; default: break; } break;

[qemu_CVE-2020-13800_1591261710_ati_mm_read.diff] ati_mm_read_OLD.c #1
if (idx <= s->vga.vram_size - size) { val = ldn_le_p(s->vga.vram_ptr + idx, size); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1:
.\cloneFuncs\totalClone\Type-1\CVE-2020-13800_before_1mo_1578670232_ati_mm_read.c
4
5
6
7
8
9
10
11
12
13
uint64_t val = 0; switch (addr) { case MM_INDEX: val = s->regs.mm_index; break; case MM_DATA ... MM_DATA + 3: /* indexed access to regs or memory */ if (s->regs.mm_index & BIT(31)) { uint32_t idx = s->regs.mm_index & ~BIT(31);
+ show +
14
15
16
17
18
19
20
21
if (idx <= s->vga.vram_size - size) { val = ldn_le_p(s->vga.vram_ptr + idx, size); } } else { val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1:
+ show +
22
23
24
25
26
27
28
29
30
31
{ int i = (addr - BIOS_0_SCRATCH) / 4; if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF && i > 3) { break; } val = ati_reg_read_offs(s->regs.bios_scratch[i], addr - (BIOS_0_SCRATCH + i * 4), size); break; } case GEN_INT_CNTL:

[qemu_CVE-2020-13800_1591261710_ati_mm_write.diff] ati_mm_write_OLD.c #1
if (idx <= s->vga.vram_size - size) { stn_le_p(s->vga.vram_ptr + idx, size, data); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1:
.\cloneFuncs\totalClone\Type-1\CVE-2020-13800_before_imd_1589634783_ati_mm_write.c
7
8
9
10
11
12
13
14
15
16
trace_ati_mm_write(size, addr, ati_reg_name(addr & ~3ULL), data); } switch (addr) { case MM_INDEX: s->regs.mm_index = data & ~3; break; case MM_DATA ... MM_DATA + 3: /* indexed access to regs or memory */ if (s->regs.mm_index & BIT(31)) { uint32_t idx = s->regs.mm_index & ~BIT(31);
+ show +
17
18
19
20
21
22
23
24
if (idx <= s->vga.vram_size - size) { stn_le_p(s->vga.vram_ptr + idx, size, data); } } else { ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1:
+ show +
25
26
27
28
29
30
31
32
33
34
{ int i = (addr - BIOS_0_SCRATCH) / 4; if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF && i > 3) { break; } ati_reg_write_offs(&s->regs.bios_scratch[i], addr - (BIOS_0_SCRATCH + i * 4), data, size); break; } case GEN_INT_CNTL:
.\cloneFuncs\totalClone\Type-2\CVE-2020-13800_before_1mo_1578670232_ati_mm_write.c
7
8
9
10
11
12
13
14
15
16
trace_ati_mm_write(size, addr, ati_reg_name(addr & ~3ULL), data); } switch (addr) { case MM_INDEX: s->regs.mm_index = data; break; case MM_DATA ... MM_DATA + 3: /* indexed access to regs or memory */ if (s->regs.mm_index & BIT(31)) { uint32_t idx = s->regs.mm_index & ~BIT(31);
+ show +
17
18
19
20
21
22
23
24
if (idx <= s->vga.vram_size - size) { stn_le_p(s->vga.vram_ptr + idx, size, data); } } else { ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1:
+ show +
25
26
27
28
29
30
31
32
33
34
{ int i = (addr - BIOS_0_SCRATCH) / 4; if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF && i > 3) { break; } ati_reg_write_offs(&s->regs.bios_scratch[i], addr - (BIOS_0_SCRATCH + i * 4), data, size); break; } case GEN_INT_CNTL:

[linux_CVE-2020-14331_1595901483_vgacon_scrollback_update.diff] vgacon_scrollback_update_OLD.c #1
p = (void *) (c->vc_origin + t * c->vc_size_row); while (count--) { + if ((vgacon_scrollback_cur->tail + c->vc_size_row) > + vgacon_scrollback_cur->size) + vgacon_scrollback_cur->tail = 0; + scr_memcpyw(vgacon_scrollback_cur->data + vgacon_scrollback_cur->tail, p, c->vc_size_row);
.\cloneFuncs\totalClone\Type-1\CVE-2020-14331_before_1mo_1592207315_vgacon_scrollback_update.c
1
2
3
4
5
6
7
8
static void vgacon_scrollback_update(struct vc_data *c, int t, int count) { void *p; if (!vgacon_scrollback_cur->data || !vgacon_scrollback_cur->size || c->vc_num != fg_console) return;
+ show +
9
10
11
12
13
14
p = (void *) (c->vc_origin + t * c->vc_size_row); while (count--) { scr_memcpyw(vgacon_scrollback_cur->data + vgacon_scrollback_cur->tail, p, c->vc_size_row);
+ show +
15
16
17
18
19
20
21
22
23
24
vgacon_scrollback_cur->cnt++; p += c->vc_size_row; vgacon_scrollback_cur->tail += c->vc_size_row; if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size) vgacon_scrollback_cur->tail = 0; if (vgacon_scrollback_cur->cnt > vgacon_scrollback_cur->rows) vgacon_scrollback_cur->cnt = vgacon_scrollback_cur->rows;

[qemu_CVE-2020-14364_1598333796_do_token_setup.diff] do_token_setup_OLD.c #1
static void do_token_setup(USBDevice *s, USBPacket *p) { int request, value, index; + unsigned int setup_len; if (p->iov.size != 8) { p->status = USB_RET_STALL;
.\cloneFuncs\totalClone\Type-1\CVE-2020-14364_before_1mo_1558518420_do_token_setup.c
+ show +
1
2
3
4
5
6
static void do_token_setup(USBDevice *s, USBPacket *p) { int request, value, index; if (p->iov.size != 8) { p->status = USB_RET_STALL;
+ show +
7
8
9
10
11
12
13
14
15
16
return; } usb_packet_copy(p, s->setup_buf, p->iov.size); s->setup_index = 0; p->actual_length = 0; s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; if (s->setup_len > sizeof(s->data_buf)) { fprintf(stderr, "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",

[qemu_CVE-2020-14364_1598333796_do_token_setup.diff] do_token_setup_OLD.c #2
usb_packet_copy(p, s->setup_buf, p->iov.size); s->setup_index = 0; p->actual_length = 0; - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; - if (s->setup_len > sizeof(s->data_buf)) { + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + if (setup_len > sizeof(s->data_buf)) { fprintf(stderr, "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", - s->setup_len, sizeof(s->data_buf)); + setup_len, sizeof(s->data_buf)); p->status = USB_RET_STALL; return; } + s->setup_len = setup_len; request = (s->setup_buf[0] << 8) | s->setup_buf[1]; value = (s->setup_buf[3] << 8) | s->setup_buf[2];
.\cloneFuncs\totalClone\Type-1\CVE-2020-14364_before_1mo_1558518420_do_token_setup.c
1
2
3
4
5
6
7
8
9
static void do_token_setup(USBDevice *s, USBPacket *p) { int request, value, index; if (p->iov.size != 8) { p->status = USB_RET_STALL; return; }
+ show +
10
11
12
13
14
15
16
17
18
19
20
21
22
23
usb_packet_copy(p, s->setup_buf, p->iov.size); s->setup_index = 0; p->actual_length = 0; s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; if (s->setup_len > sizeof(s->data_buf)) { fprintf(stderr, "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", s->setup_len, sizeof(s->data_buf)); p->status = USB_RET_STALL; return; } request = (s->setup_buf[0] << 8) | s->setup_buf[1]; value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+ show +
24
25
26
27
28
29
30
31
32
33
index = (s->setup_buf[5] << 8) | s->setup_buf[4]; if (s->setup_buf[0] & USB_DIR_IN) { usb_device_handle_control(s, p, request, value, index, s->setup_len, s->data_buf); if (p->status == USB_RET_ASYNC) { s->setup_state = SETUP_STATE_SETUP; } if (p->status != USB_RET_SUCCESS) { return;

[linux_CVE-2020-14386_1599192328_tpacket_rcv.diff] tpacket_rcv_OLD.c #1
int skb_len = skb->len; unsigned int snaplen, res; unsigned long status = TP_STATUS_USER; - unsigned short macoff, netoff, hdrlen; + unsigned short macoff, hdrlen; + unsigned int netoff; struct sk_buff *copy_skb = NULL; struct timespec64 ts; __u32 ts_status;
.\cloneFuncs\totalClone\Type-1\CVE-2020-14386_before_imd_1598222219_tpacket_rcv.c
1
2
3
4
5
6
7
8
static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) { struct sock *sk; struct packet_sock *po; struct sockaddr_ll *sll; union tpacket_uhdr h; u8 *skb_head = skb->data;
+ show +
9
10
11
12
13
14
15
int skb_len = skb->len; unsigned int snaplen, res; unsigned long status = TP_STATUS_USER; unsigned short macoff, netoff, hdrlen; struct sk_buff *copy_skb = NULL; struct timespec64 ts; __u32 ts_status;
+ show +
16
17
18
19
20
21
22
23
24
25
bool is_drop_n_account = false; unsigned int slot_id = 0; bool do_vnet = false; /* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT. * We may add members to them until current aligned size without forcing * userspace to call getsockopt(..., PACKET_HDRLEN, ...). */ BUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h2)) != 32); BUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h3)) != 48);
.\cloneFuncs\totalClone\Type-3\CVE-2020-14386_before_1mo_1595484547_tpacket_rcv.c
1
2
3
4
5
6
7
8
static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) { struct sock *sk; struct packet_sock *po; struct sockaddr_ll *sll; union tpacket_uhdr h; u8 *skb_head = skb->data;
+ show +
9
10
11
12
13
14
15
int skb_len = skb->len; unsigned int snaplen, res; unsigned long status = TP_STATUS_USER; unsigned short macoff, netoff, hdrlen; struct sk_buff *copy_skb = NULL; struct timespec64 ts; __u32 ts_status;
+ show +
16
17
18
19
20
21
22
23
24
25
bool is_drop_n_account = false; unsigned int slot_id = 0; bool do_vnet = false; /* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT. * We may add members to them until current aligned size without forcing * userspace to call getsockopt(..., PACKET_HDRLEN, ...). */ BUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h2)) != 32); BUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h3)) != 48);
.\cloneFuncs\totalClone\Type-3\CVE-2020-14386_before_6mo_1580338547_tpacket_rcv.c
1
2
3
4
5
6
7
8
static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) { struct sock *sk; struct packet_sock *po; struct sockaddr_ll *sll; union tpacket_uhdr h; u8 *skb_head = skb->data;
+ show +
9
10
11
12
13
14
15
int skb_len = skb->len; unsigned int snaplen, res; unsigned long status = TP_STATUS_USER; unsigned short macoff, netoff, hdrlen; struct sk_buff *copy_skb = NULL; struct timespec64 ts; __u32 ts_status;
+ show +
16
17
18
19
20
21
22
23
24
25
bool is_drop_n_account = false; bool do_vnet = false; /* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT. * We may add members to them until current aligned size without forcing * userspace to call getsockopt(..., PACKET_HDRLEN, ...). */ BUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h2)) != 32); BUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h3)) != 48);

[linux_CVE-2020-14386_1599192328_tpacket_rcv.diff] tpacket_rcv_OLD.c #2
} macoff = netoff - maclen; } + if (netoff > USHRT_MAX) { + atomic_inc(&po->tp_drops); + goto drop_n_restore; + } if (po->tp_version <= TPACKET_V2) { if (macoff + snaplen > po->rx_ring.frame_size) { if (po->copy_thresh &&
.\cloneFuncs\totalClone\Type-1\CVE-2020-14386_before_imd_1598222219_tpacket_rcv.c
68
69
70
71
72
73
74
75
76
77
macoff = netoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve; } else { unsigned int maclen = skb_network_offset(skb); netoff = TPACKET_ALIGN(po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) + po->tp_reserve; if (po->has_vnet_hdr) { netoff += sizeof(struct virtio_net_hdr); do_vnet = true;
+ show +
78
79
80
81
82
83
} macoff = netoff - maclen; } if (po->tp_version <= TPACKET_V2) { if (macoff + snaplen > po->rx_ring.frame_size) { if (po->copy_thresh &&
+ show +
84
85
86
87
88
89
90
91
92
93
atomic_read(&sk->sk_rmem_alloc) < sk->sk_rcvbuf) { if (skb_shared(skb)) { copy_skb = skb_clone(skb, GFP_ATOMIC); } else { copy_skb = skb_get(skb); skb_head = skb->data; } if (copy_skb) skb_set_owner_r(copy_skb, sk); }
.\cloneFuncs\totalClone\Type-3\CVE-2020-14386_before_1mo_1595484547_tpacket_rcv.c
68
69
70
71
72
73
74
75
76
77
macoff = netoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve; } else { unsigned int maclen = skb_network_offset(skb); netoff = TPACKET_ALIGN(po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) + po->tp_reserve; if (po->has_vnet_hdr) { netoff += sizeof(struct virtio_net_hdr); do_vnet = true;
+ show +
78
79
80
81
82
83
} macoff = netoff - maclen; } if (po->tp_version <= TPACKET_V2) { if (macoff + snaplen > po->rx_ring.frame_size) { if (po->copy_thresh &&
+ show +
84
85
86
87
88
89
90
91
92
93
atomic_read(&sk->sk_rmem_alloc) < sk->sk_rcvbuf) { if (skb_shared(skb)) { copy_skb = skb_clone(skb, GFP_ATOMIC); } else { copy_skb = skb_get(skb); skb_head = skb->data; } if (copy_skb) skb_set_owner_r(copy_skb, sk); }
.\cloneFuncs\totalClone\Type-3\CVE-2020-14386_before_6mo_1580338547_tpacket_rcv.c
67
68
69
70
71
72
73
74
75
76
macoff = netoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve; } else { unsigned int maclen = skb_network_offset(skb); netoff = TPACKET_ALIGN(po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) + po->tp_reserve; if (po->has_vnet_hdr) { netoff += sizeof(struct virtio_net_hdr); do_vnet = true;
+ show +
77
78
79
80
81
82
} macoff = netoff - maclen; } if (po->tp_version <= TPACKET_V2) { if (macoff + snaplen > po->rx_ring.frame_size) { if (po->copy_thresh &&
+ show +
83
84
85
86
87
88
89
90
91
92
atomic_read(&sk->sk_rmem_alloc) < sk->sk_rcvbuf) { if (skb_shared(skb)) { copy_skb = skb_clone(skb, GFP_ATOMIC); } else { copy_skb = skb_get(skb); skb_head = skb->data; } if (copy_skb) skb_set_owner_r(copy_skb, sk); }

[qemu_CVE-2020-1711_1579783499_iscsi_co_block_status.diff] iscsi_co_block_status_OLD.c #1
struct scsi_get_lba_status *lbas = NULL; struct scsi_lba_status_descriptor *lbasd = NULL; struct IscsiTask iTask; - uint64_t lba; + uint64_t lba, max_bytes; int ret; iscsi_co_init_iscsitask(iscsilun, &iTask);
.\cloneFuncs\totalClone\Type-1\CVE-2020-1711_before_1mo_1568800300_iscsi_co_block_status.c
1
2
3
4
5
6
7
static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, bool want_zero, int64_t offset, int64_t bytes, int64_t *pnum, int64_t *map, BlockDriverState **file) { IscsiLun *iscsilun = bs->opaque;
+ show +
8
9
10
11
12
13
14
struct scsi_get_lba_status *lbas = NULL; struct scsi_lba_status_descriptor *lbasd = NULL; struct IscsiTask iTask; uint64_t lba; int ret; iscsi_co_init_iscsitask(iscsilun, &iTask);
+ show +
15
16
17
18
19
20
21
22
23
24
assert(QEMU_IS_ALIGNED(offset | bytes, iscsilun->block_size)); /* default to all sectors allocated */ ret = BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID; if (map) { *map = offset; } *pnum = bytes;

[qemu_CVE-2020-1711_1579783499_iscsi_co_block_status.diff] iscsi_co_block_status_OLD.c #2
} lba = offset / iscsilun->block_size; + max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; qemu_mutex_lock(&iscsilun->mutex); retry:
.\cloneFuncs\totalClone\Type-1\CVE-2020-1711_before_1mo_1568800300_iscsi_co_block_status.c
18
19
20
21
22
23
24
25
26
27
/* default to all sectors allocated */ ret = BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID; if (map) { *map = offset; } *pnum = bytes; /* LUN does not support logical block provisioning */ if (!iscsilun->lbpme) { goto out;
+ show +
28
29
30
31
32
33
} lba = offset / iscsilun->block_size; qemu_mutex_lock(&iscsilun->mutex); retry:
+ show +
34
35
36
37
38
39
40
41
42
43
if (iscsi_get_lba_status_task(iscsilun->iscsi, iscsilun->lun, lba, 8 + 16, iscsi_co_generic_cb, &iTask) == NULL) { ret = -ENOMEM; goto out_unlock; } iscsi_co_wait_for_task(&iTask, iscsilun); if (iTask.do_retry) { if (iTask.task != NULL) {

[qemu_CVE-2020-1711_1579783499_iscsi_co_block_status.diff] iscsi_co_block_status_OLD.c #3
goto out_unlock; } - *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; + *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
.\cloneFuncs\totalClone\Type-1\CVE-2020-1711_before_1mo_1568800300_iscsi_co_block_status.c
61
62
63
64
65
66
67
68
69
70
lbas = scsi_datain_unmarshall(iTask.task); if (lbas == NULL) { ret = -EIO; goto out_unlock; } lbasd = &lbas->descriptors[0]; if (lba != lbasd->lba) { ret = -EIO;
+ show +
71
72
73
74
75
76
77
goto out_unlock; } *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+ show +
78
79
80
81
82
83
84
85
86
87
ret &= ~BDRV_BLOCK_DATA; if (iscsilun->lbprz) { ret |= BDRV_BLOCK_ZERO; } } if (ret & BDRV_BLOCK_ZERO) { iscsi_allocmap_set_unallocated(iscsilun, offset, *pnum); } else { iscsi_allocmap_set_allocated(iscsilun, offset, *pnum);

[qemu_CVE-2020-17380_1614774399_sdhci_write.diff] sdhci_write_OLD.c #1
break; case SDHC_BLKSIZE: if (!TRANSFERRING_DATA(s->prnsts)) { + uint16_t blksize = s->blksize; + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
.\cloneFuncs\totalClone\Type-1\CVE-2020-17380_before_imd_1614774398_sdhci_write.c
19
20
21
22
23
24
25
26
27
28
/* Writing to last byte of sdmasysad might trigger transfer */ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { if (s->trnmod & SDHC_TRNS_MULTI) { sdhci_sdma_transfer_multi_blocks(s); } else { sdhci_sdma_transfer_single_block(s); } } }
+ show +
29
30
31
32
33
break; case SDHC_BLKSIZE: if (!TRANSFERRING_DATA(s->prnsts)) { MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+ show +
34
35
36
37
38
39
40
41
42
43
/* Limit block size to the maximum buffer size */ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " "the maximum buffer 0x%x\n", __func__, s->blksize, s->buf_maxsz); s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); } }
.\cloneFuncs\totalClone\Type-3\CVE-2020-17380_before_1mo_1608046866_sdhci_write.c
17
18
19
20
21
22
23
24
25
26
MASKED_WRITE(s->sdmasysad, mask, value); /* Writing to last byte of sdmasysad might trigger transfer */ if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { if (s->trnmod & SDHC_TRNS_MULTI) { sdhci_sdma_transfer_multi_blocks(s); } else { sdhci_sdma_transfer_single_block(s); } }
+ show +
27
28
29
30
31
break; case SDHC_BLKSIZE: if (!TRANSFERRING_DATA(s->prnsts)) { MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+ show +
32
33
34
35
36
37
38
39
40
41
} /* Limit block size to the maximum buffer size */ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " "the maximum buffer 0x%x\n", __func__, s->blksize, s->buf_maxsz); s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); }

[qemu_CVE-2020-17380_1614774399_sdhci_write.diff] sdhci_write_OLD.c #2
s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); } + + /* + * If the block size is programmed to a different value from + * the previous one, reset the data pointer of s->fifo_buffer[] + * so that s->fifo_buffer[] can be filled in using the new block + * size in the next transfer. + */ + if (blksize != s->blksize) { + s->data_count = 0; + } } break;
.\cloneFuncs\totalClone\Type-1\CVE-2020-17380_before_imd_1614774398_sdhci_write.c
31
32
33
34
35
36
37
38
39
40
if (!TRANSFERRING_DATA(s->prnsts)) { MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); /* Limit block size to the maximum buffer size */ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " "the maximum buffer 0x%x\n", __func__, s->blksize, s->buf_maxsz);
+ show +
41
42
43
44
45
s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); } } break;
+ show +
46
47
48
49
50
51
52
53
54
55
case SDHC_ARGUMENT: MASKED_WRITE(s->argument, mask, value); break; case SDHC_TRNMOD: /* DMA can be enabled only if it is supported as indicated by * capabilities register */ if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) { value &= ~SDHC_TRNS_DMA; } MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK);

[openssl_CVE-2020-1971_1605111178_GENERAL_NAME_cmp.diff] GENERAL_NAME_cmp_OLD.c #1
return -1; switch (a->type) { case GEN_X400: + result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + break; + case GEN_EDIPARTY: - result = ASN1_TYPE_cmp(a->d.other, b->d.other); + result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); break; case GEN_OTHERNAME:
.\cloneFuncs\totalClone\Type-1\CVE-2020-1971_before_1mo_1557763665_GENERAL_NAME_cmp.c
1
2
3
4
5
int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) { int result = -1; if (!a || !b || a->type != b->type)
+ show +
6
7
8
9
10
11
12
13
return -1; switch (a->type) { case GEN_X400: case GEN_EDIPARTY: result = ASN1_TYPE_cmp(a->d.other, b->d.other); break; case GEN_OTHERNAME:
+ show +
14
15
16
17
18
19
20
21
22
23
result = OTHERNAME_cmp(a->d.otherName, b->d.otherName); break; case GEN_EMAIL: case GEN_DNS: case GEN_URI: result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5); break; case GEN_DIRNAME:

[openssl_CVE-2020-1971_1605111178_GENERAL_NAME_get0_value.diff] GENERAL_NAME_get0_value_OLD.c #1
*ptype = a->type; switch (a->type) { case GEN_X400: + return a->d.x400Address; + case GEN_EDIPARTY: - return a->d.other; + return a->d.ediPartyName; case GEN_OTHERNAME: return a->d.otherName;
.\cloneFuncs\totalClone\Type-1\CVE-2020-1971_before_1mo_1557763665_GENERAL_NAME_get0_value.c
1
2
3
void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) { if (ptype)
+ show +
4
5
6
7
8
9
10
11
*ptype = a->type; switch (a->type) { case GEN_X400: case GEN_EDIPARTY: return a->d.other; case GEN_OTHERNAME: return a->d.otherName;
+ show +
12
13
14
15
16
17
18
19
20
21
case GEN_EMAIL: case GEN_DNS: case GEN_URI: return a->d.ia5; case GEN_DIRNAME: return a->d.dirn; case GEN_IPADD:

[openssl_CVE-2020-1971_1605111178_GENERAL_NAME_set0_value.diff] GENERAL_NAME_set0_value_OLD.c #1
{ switch (type) { case GEN_X400: + a->d.x400Address = value; + break; + case GEN_EDIPARTY: - a->d.other = value; + a->d.ediPartyName = value; break; case GEN_OTHERNAME:
.\cloneFuncs\totalClone\Type-1\CVE-2020-1971_before_1mo_1557763665_GENERAL_NAME_set0_value.c
1
void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
+ show +
2
3
4
5
6
7
8
9
{ switch (type) { case GEN_X400: case GEN_EDIPARTY: a->d.other = value; break; case GEN_OTHERNAME:
+ show +
10
11
12
13
14
15
16
17
18
19
a->d.otherName = value; break; case GEN_EMAIL: case GEN_DNS: case GEN_URI: a->d.ia5 = value; break; case GEN_DIRNAME:

[ffmpeg_CVE-2020-20446_1622225905_psy_3gpp_analyze_channel.diff] psy_3gpp_analyze_channel_OLD.c #1
if (pe < 1.15f * desired_pe) { /* 6.6.1.3.6 "Final threshold modification by linearization" */ - norm_fac = 1.0f / norm_fac; + norm_fac = norm_fac ? 1.0f / norm_fac : 0; for (w = 0; w < wi->num_windows*16; w += 16) { for (g = 0; g < num_bands; g++) { AacPsyBand *band = &pch->band[w+g];
.\cloneFuncs\totalClone\Type-1\CVE-2020-20446_before_1mo_1490988828_psy_3gpp_analyze_channel.c
137
138
139
140
141
142
143
144
145
146
else band->norm_fac = 0.0f; norm_fac += band->norm_fac; } } delta_pe = desired_pe - pe; if (fabs(delta_pe) > 0.05f * desired_pe) break; }
+ show +
147
148
149
150
151
152
if (pe < 1.15f * desired_pe) { /* 6.6.1.3.6 "Final threshold modification by linearization" */ norm_fac = 1.0f / norm_fac; for (w = 0; w < wi->num_windows*16; w += 16) { for (g = 0; g < num_bands; g++) { AacPsyBand *band = &pch->band[w+g];
+ show +
153
154
155
156
157
158
159
160
161
162
if (band->active_lines > 0.5f) { float delta_sfb_pe = band->norm_fac * norm_fac * delta_pe; float thr = band->thr; thr *= exp2f(delta_sfb_pe / band->active_lines); if (thr > coeffs[g].min_snr * band->energy && band->avoid_holes == PSY_3GPP_AH_INACTIVE) thr = FFMAX(band->thr, coeffs[g].min_snr * band->energy); band->thr = thr; }

[ffmpeg_CVE-2020-22015_1622272947_mov_write_video_tag.diff] mov_write_video_tag_OLD.c #1
avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { - int pal_size = 1 << track->par->bits_per_coded_sample; - int i; + int pal_size, i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ + if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) + return AVERROR(EINVAL); + pal_size = 1 << track->par->bits_per_coded_sample; avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i];
.\cloneFuncs\totalClone\Type-1\CVE-2020-22015_before_1mo_1618854324_mov_write_video_tag.c
54
55
56
57
58
59
60
61
62
63
avio_w8(pb, strlen(compressor_name)); avio_write(pb, compressor_name, 31); if (track->mode == MODE_MOV && (track->par->codec_id == AV_CODEC_ID_V410 || track->par->codec_id == AV_CODEC_ID_V210)) avio_wb16(pb, 0x18); else if (track->mode == MODE_MOV && track->par->bits_per_coded_sample) avio_wb16(pb, track->par->bits_per_coded_sample | (track->par->format == AV_PIX_FMT_GRAY8 ? 0x20 : 0)); else
+ show +
64
65
66
67
68
69
70
71
72
73
74
avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { int pal_size = 1 << track->par->bits_per_coded_sample; int i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i];
+ show +
75
76
77
78
79
80
81
82
83
84
uint16_t r = (rgb >> 16) & 0xff; uint16_t g = (rgb >> 8) & 0xff; uint16_t b = rgb & 0xff; avio_wb16(pb, 0); avio_wb16(pb, (r << 8) | r); avio_wb16(pb, (g << 8) | g); avio_wb16(pb, (b << 8) | b); } } else avio_wb16(pb, 0xffff); /* Reserved */
.\cloneFuncs\totalClone\Type-3\CVE-2020-22015_before_6mo_1605890311_mov_write_video_tag.c
54
55
56
57
58
59
60
61
62
63
avio_w8(pb, strlen(compressor_name)); avio_write(pb, compressor_name, 31); if (track->mode == MODE_MOV && (track->par->codec_id == AV_CODEC_ID_V410 || track->par->codec_id == AV_CODEC_ID_V210)) avio_wb16(pb, 0x18); else if (track->mode == MODE_MOV && track->par->bits_per_coded_sample) avio_wb16(pb, track->par->bits_per_coded_sample | (track->par->format == AV_PIX_FMT_GRAY8 ? 0x20 : 0)); else
+ show +
64
65
66
67
68
69
70
71
72
73
74
avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { int pal_size = 1 << track->par->bits_per_coded_sample; int i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i];
+ show +
75
76
77
78
79
80
81
82
83
84
uint16_t r = (rgb >> 16) & 0xff; uint16_t g = (rgb >> 8) & 0xff; uint16_t b = rgb & 0xff; avio_wb16(pb, 0); avio_wb16(pb, (r << 8) | r); avio_wb16(pb, (g << 8) | g); avio_wb16(pb, (b << 8) | b); } } else avio_wb16(pb, 0xffff); /* Reserved */

[ffmpeg_CVE-2020-22019_1622275111_ff_vmafmotion_init.diff] ff_vmafmotion_init_OLD.c #1
int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + if (w < 3 || h < 3) + return AVERROR(EINVAL); + s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32);
.\cloneFuncs\totalClone\Type-1\CVE-2020-22019_before_1mo_1570407030_ff_vmafmotion_init.c
1
2
3
4
int ff_vmafmotion_init(VMAFMotionData *s, int w, int h, enum AVPixelFormat fmt) { size_t data_sz;
+ show +
5
6
7
8
9
10
int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32);
+ show +
11
12
13
14
15
16
17
18
19
20
data_sz = (size_t) s->stride * h; if (!(s->blur_data[0] = av_malloc(data_sz)) || !(s->blur_data[1] = av_malloc(data_sz)) || !(s->temp_data = av_malloc(data_sz))) { return AVERROR(ENOMEM); } for (i = 0; i < 5; i++) { s->filter[i] = lrint(FILTER_5[i] * (1 << BIT_SHIFT));

[ffmpeg_CVE-2020-22037_1628927700_ff_frame_thread_encoder_init.diff] ff_frame_thread_encoder_init_OLD.c #1
{ int i=0; ThreadContext *c; - + AVCodecContext *thread_avctx = NULL; if( !(avctx->thread_type & FF_THREAD_FRAME) || !(avctx->codec->capabilities & AV_CODEC_CAP_FRAME_THREADS))
.\cloneFuncs\totalClone\Type-1\CVE-2020-22037_before_1mo_1620765199_ff_frame_thread_encoder_init.c
1
int ff_frame_thread_encoder_init(AVCodecContext *avctx)
+ show +
2
3
4
5
6
7
8
{ int i=0; ThreadContext *c; if( !(avctx->thread_type & FF_THREAD_FRAME) || !(avctx->codec->capabilities & AV_CODEC_CAP_FRAME_THREADS))
+ show +
9
10
11
12
13
14
15
16
17
18
return 0; if( !avctx->thread_count && avctx->codec_id == AV_CODEC_ID_MJPEG && !(avctx->flags & AV_CODEC_FLAG_QSCALE)) { av_log(avctx, AV_LOG_DEBUG, "Forcing thread count to 1 for MJPEG encoding, use -thread_type slice " "or a constant quantizer if you want to use multiple cpu cores\n"); avctx->thread_count = 1; }

[ffmpeg_CVE-2020-22037_1628927700_ff_frame_thread_encoder_init.diff] ff_frame_thread_encoder_init_OLD.c #2
for(i=0; i<avctx->thread_count ; i++){ int ret; void *tmpv; - AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); + thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; + thread_avctx->priv_data = tmpv; + thread_avctx->internal = NULL; + thread_avctx->hw_frames_ctx = NULL; ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; - thread_avctx->priv_data = tmpv; - thread_avctx->internal = NULL; if (avctx->codec->priv_class) { int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data); if (ret < 0)
.\cloneFuncs\totalClone\Type-1\CVE-2020-22037_before_1mo_1620765199_ff_frame_thread_encoder_init.c
68
69
70
71
72
73
74
75
76
77
pthread_cond_init(&c->finished_task_cond, NULL); atomic_init(&c->exit, 0); c->max_tasks = avctx->thread_count + 2; for (unsigned i = 0; i < c->max_tasks; i++) { if (!(c->tasks[i].indata = av_frame_alloc()) || !(c->tasks[i].outdata = av_packet_alloc())) goto fail; }
+ show +
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
for(i=0; i<avctx->thread_count ; i++){ int ret; void *tmpv; AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; thread_avctx->priv_data = tmpv; thread_avctx->internal = NULL; if (avctx->codec->priv_class) { int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data); if (ret < 0)
+ show +
94
95
96
97
98
99
100
101
102
103
goto fail; } thread_avctx->thread_count = 1; thread_avctx->active_thread_type &= ~FF_THREAD_FRAME; if (avcodec_open2(thread_avctx, avctx->codec, NULL) < 0) goto fail; av_assert0(!thread_avctx->internal->frame_thread_encoder); thread_avctx->internal->frame_thread_encoder = c; if(pthread_create(&c->worker[i], NULL, worker, thread_avctx)) {

[linux_CVE-2020-24586_1620756171_ieee80211_rx_h_defragment.diff] ieee80211_rx_h_defragment_OLD.c #1
unsigned int frag, seq; struct ieee80211_fragment_entry *entry; struct sk_buff *skb; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); hdr = (struct ieee80211_hdr *)rx->skb->data; fc = hdr->frame_control;
.\cloneFuncs\totalClone\Type-1\CVE-2020-24586_before_imd_1620756170_ieee80211_rx_h_defragment.c
1
2
3
4
5
6
7
static ieee80211_rx_result debug_noinline ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) { struct ieee80211_fragment_cache *cache = &rx->sdata->frags; struct ieee80211_hdr *hdr; u16 sc; __le16 fc;
+ show +
8
9
10
11
12
13
unsigned int frag, seq; struct ieee80211_fragment_entry *entry; struct sk_buff *skb; hdr = (struct ieee80211_hdr *)rx->skb->data; fc = hdr->frame_control;
+ show +
14
15
16
17
18
19
20
21
22
23
if (ieee80211_is_ctl(fc) || ieee80211_is_ext(fc)) return RX_CONTINUE; sc = le16_to_cpu(hdr->seq_ctrl); frag = sc & IEEE80211_SCTL_FRAG; if (is_multicast_ether_addr(hdr->addr1)) { I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount); goto out_no_led;
.\cloneFuncs\totalClone\Type-1\CVE-2020-26147_before_1mo_1608317238_ieee80211_rx_h_defragment.c
1
2
3
4
5
6
static ieee80211_rx_result debug_noinline ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) { struct ieee80211_hdr *hdr; u16 sc; __le16 fc;
+ show +
7
8
9
10
11
12
unsigned int frag, seq; struct ieee80211_fragment_entry *entry; struct sk_buff *skb; hdr = (struct ieee80211_hdr *)rx->skb->data; fc = hdr->frame_control;
+ show +
13
14
15
16
17
18
19
20
21
22
if (ieee80211_is_ctl(fc) || ieee80211_is_ext(fc)) return RX_CONTINUE; sc = le16_to_cpu(hdr->seq_ctrl); frag = sc & IEEE80211_SCTL_FRAG; if (is_multicast_ether_addr(hdr->addr1)) { I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount); goto out_no_led;
.\cloneFuncs\totalClone\Type-3\CVE-2020-26147_after_imd_1620756163_ieee80211_rx_h_defragment.c
1
2
3
4
5
6
static ieee80211_rx_result debug_noinline ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) { struct ieee80211_hdr *hdr; u16 sc; __le16 fc;
+ show +
7
8
9
10
11
12
unsigned int frag, seq; struct ieee80211_fragment_entry *entry; struct sk_buff *skb; hdr = (struct ieee80211_hdr *)rx->skb->data; fc = hdr->frame_control;
+ show +
13
14
15
16
17
18
19
20
21
22
if (ieee80211_is_ctl(fc) || ieee80211_is_ext(fc)) return RX_CONTINUE; sc = le16_to_cpu(hdr->seq_ctrl); frag = sc & IEEE80211_SCTL_FRAG; if (is_multicast_ether_addr(hdr->addr1)) { I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount); goto out_no_led;

[linux_CVE-2020-24586_1620756171_ieee80211_rx_h_defragment.diff] ieee80211_rx_h_defragment_OLD.c #2
sizeof(rx->key->u.gcmp.rx_pn[queue])); BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != IEEE80211_GCMP_PN_LEN); - } else if (rx->key && ieee80211_has_protected(fc)) { + } else if (rx->key && + (ieee80211_has_protected(fc) || + (status->flag & RX_FLAG_DECRYPTED))) { entry->is_protected = true; entry->key_color = rx->key->color; }
.\cloneFuncs\totalClone\Type-1\CVE-2020-24586_before_imd_1620756170_ieee80211_rx_h_defragment.c
56
57
58
59
60
61
62
63
64
65
entry->is_protected = true; entry->key_color = rx->key->color; memcpy(entry->last_pn, rx->key->u.ccmp.rx_pn[queue], IEEE80211_CCMP_PN_LEN); BUILD_BUG_ON(offsetof(struct ieee80211_key, u.ccmp.rx_pn) != offsetof(struct ieee80211_key, u.gcmp.rx_pn)); BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
+ show +
66
67
68
69
70
71
72
sizeof(rx->key->u.gcmp.rx_pn[queue])); BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != IEEE80211_GCMP_PN_LEN); } else if (rx->key && ieee80211_has_protected(fc)) { entry->is_protected = true; entry->key_color = rx->key->color; }
+ show +
73
74
75
76
77
78
79
80
81
82
return RX_QUEUED; } /* This is a fragment for a frame that should already be pending in * fragment cache. Add this fragment to the end of the pending entry. */ entry = ieee80211_reassemble_find(cache, frag, seq, rx->seqno_idx, hdr); if (!entry) { I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);

[linux_CVE-2020-24586_1620756171_ieee80211_rx_h_defragment.diff] ieee80211_rx_h_defragment_OLD.c #3
return RX_DROP_UNUSABLE; memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); } else if (entry->is_protected && - (!rx->key || !ieee80211_has_protected(fc) || + (!rx->key || + (!ieee80211_has_protected(fc) && + !(status->flag & RX_FLAG_DECRYPTED)) || rx->key->color != entry->key_color)) { /* Drop this as a mixed key or fragment cache attack, even * if for TKIP Michael MIC should protect us, and WEP is a * lost cause anyway. */ return RX_DROP_UNUSABLE; + } else if (entry->is_protected && rx->key && + entry->key_color != rx->key->color && + (status->flag & RX_FLAG_DECRYPTED)) { + return RX_DROP_UNUSABLE; } skb_pull(rx->skb, ieee80211_hdrlen(fc));
.\cloneFuncs\totalClone\Type-1\CVE-2020-24586_before_imd_1620756170_ieee80211_rx_h_defragment.c
101
102
103
104
105
106
107
108
109
110
memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) { pn[i]++; if (pn[i]) break; } rpn = rx->ccm_gcm.pn; if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
+ show +
111
112
113
114
115
116
117
118
119
120
121
122
123
return RX_DROP_UNUSABLE; memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); } else if (entry->is_protected && (!rx->key || !ieee80211_has_protected(fc) || rx->key->color != entry->key_color)) { /* Drop this as a mixed key or fragment cache attack, even * if for TKIP Michael MIC should protect us, and WEP is a * lost cause anyway. */ return RX_DROP_UNUSABLE; } skb_pull(rx->skb, ieee80211_hdrlen(fc));
+ show +
124
125
126
127
128
129
130
131
132
133
__skb_queue_tail(&entry->skb_list, rx->skb); entry->last_frag = frag; entry->extra_len += rx->skb->len; if (ieee80211_has_morefrags(fc)) { rx->skb = NULL; return RX_QUEUED; } rx->skb = __skb_dequeue(&entry->skb_list); if (skb_tailroom(rx->skb) < entry->extra_len) {

[linux_CVE-2020-24587_1620756178_ath11k_mac_op_set_key.diff] ath11k_mac_op_set_key_OLD.c #1
*/ spin_lock_bh(&ab->base_lock); peer = ath11k_peer_find(ab, arvif->vdev_id, peer_addr); + + /* flush the fragments cache during key (re)install to + * ensure all frags in the new frag list belong to the same key. + */ + if (peer && cmd == SET_KEY) + ath11k_peer_frags_flush(ar, peer); spin_unlock_bh(&ab->base_lock); if (!peer) {
.\cloneFuncs\totalClone\Type-1\CVE-2020-24587_before_1mo_1615795961_ath11k_mac_op_set_key.c
30
31
32
33
34
35
36
37
38
39
peer_addr = sta->addr; else if (arvif->vdev_type == WMI_VDEV_TYPE_STA) peer_addr = vif->bss_conf.bssid; else peer_addr = vif->addr; key->hw_key_idx = key->keyidx; /* the peer should not disappear in mid-way (unless FW goes awry) since * we already hold conf_mutex. we just make sure its there now.
+ show +
40
41
42
43
44
45
*/ spin_lock_bh(&ab->base_lock); peer = ath11k_peer_find(ab, arvif->vdev_id, peer_addr); spin_unlock_bh(&ab->base_lock); if (!peer) {
+ show +
46
47
48
49
50
51
52
53
54
55
if (cmd == SET_KEY) { ath11k_warn(ab, "cannot install key for non-existent peer %pM\n", peer_addr); ret = -EOPNOTSUPP; goto exit; } else { /* if the peer doesn't exist there is no key to disable * anymore */ goto exit;

[linux_CVE-2021-23134_1620112606_llcp_sock_bind.diff] llcp_sock_bind_OLD.c #1
GFP_KERNEL); if (!llcp_sock->service_name) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE;
.\cloneFuncs\totalClone\Type-1\CVE-2020-25670_after_imd_1616644271_llcp_sock_bind.c
41
42
43
44
45
46
47
48
49
50
} llcp_sock->dev = dev; llcp_sock->local = nfc_llcp_local_get(local); llcp_sock->nfc_protocol = llcp_addr.nfc_protocol; llcp_sock->service_name_len = min_t(unsigned int, llcp_addr.service_name_len, NFC_LLCP_MAX_SERVICE_NAME); llcp_sock->service_name = kmemdup(llcp_addr.service_name, llcp_sock->service_name_len,
+ show +
51
52
53
54
55
56
57
58
59
60
61
62
GFP_KERNEL); if (!llcp_sock->service_name) { nfc_llcp_local_put(llcp_sock->local); ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE;
+ show +
63
64
65
66
67
68
69
70
71
72
goto put_dev; } llcp_sock->reserved_ssap = llcp_sock->ssap; nfc_llcp_sock_link(&local->sockets, sk); pr_debug("Socket bound to SAP %d\n", llcp_sock->ssap); sk->sk_state = LLCP_BOUND;

[linux_CVE-2020-25670_1616644270_llcp_sock_bind.diff] llcp_sock_bind_OLD.c #1
llcp_sock->service_name_len, GFP_KERNEL); if (!llcp_sock->service_name) { + nfc_llcp_local_put(llcp_sock->local); ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { + nfc_llcp_local_put(llcp_sock->local); kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE;
.\cloneFuncs\totalClone\Type-1\CVE-2020-25670_before_1mo_1594967011_llcp_sock_bind.c
40
41
42
43
44
45
46
47
48
49
goto put_dev; } llcp_sock->dev = dev; llcp_sock->local = nfc_llcp_local_get(local); llcp_sock->nfc_protocol = llcp_addr.nfc_protocol; llcp_sock->service_name_len = min_t(unsigned int, llcp_addr.service_name_len, NFC_LLCP_MAX_SERVICE_NAME); llcp_sock->service_name = kmemdup(llcp_addr.service_name,
+ show +
50
51
52
53
54
55
56
57
58
59
60
llcp_sock->service_name_len, GFP_KERNEL); if (!llcp_sock->service_name) { ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE;
+ show +
61
62
63
64
65
66
67
68
69
70
goto put_dev; } llcp_sock->reserved_ssap = llcp_sock->ssap; nfc_llcp_sock_link(&local->sockets, sk); pr_debug("Socket bound to SAP %d\n", llcp_sock->ssap); sk->sk_state = LLCP_BOUND;

[linux_CVE-2020-25671_1616644271_llcp_sock_connect.diff] llcp_sock_connect_OLD.c #1
llcp_sock->local = nfc_llcp_local_get(local); llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { + nfc_llcp_local_put(llcp_sock->local); ret = -ENOMEM; goto put_dev; }
.\cloneFuncs\totalClone\Type-1\CVE-2020-25671_before_1mo_1595484547_llcp_sock_connect.c
46
47
48
49
50
51
52
53
54
55
} device_unlock(&dev->dev); if (local->rf_mode == NFC_RF_INITIATOR && addr->target_idx != local->target_idx) { ret = -ENOLINK; goto put_dev; } llcp_sock->dev = dev;
+ show +
56
57
58
59
60
61
llcp_sock->local = nfc_llcp_local_get(local); llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { ret = -ENOMEM; goto put_dev; }
+ show +
62
63
64
65
66
67
68
69
70
71
llcp_sock->reserved_ssap = llcp_sock->ssap; if (addr->service_name_len == 0) llcp_sock->dsap = addr->dsap; else llcp_sock->dsap = LLCP_SAP_SDP; llcp_sock->nfc_protocol = addr->nfc_protocol; llcp_sock->service_name_len = min_t(unsigned int, addr->service_name_len,

[linux_CVE-2020-25671_1616644271_llcp_sock_connect.diff] llcp_sock_connect_OLD.c #2
sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap); + nfc_llcp_local_put(llcp_sock->local); put_dev: nfc_put_device(dev);
.\cloneFuncs\totalClone\Type-1\CVE-2020-25671_before_1mo_1595484547_llcp_sock_connect.c
91
92
93
94
95
96
97
98
99
100
if (ret && ret != -EINPROGRESS) goto sock_unlink; release_sock(sk); return ret; sock_unlink: nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+ show +
101
102
103
104
105
sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap); put_dev: nfc_put_device(dev);
+ show +
106
107
108
109
110
error: release_sock(sk); return ret; }

[linux_CVE-2020-25672_1616644272_llcp_sock_connect.diff] llcp_sock_connect_OLD.c #1
sock_unlink: nfc_llcp_sock_unlink(&local->connecting_sockets, sk); + kfree(llcp_sock->service_name); + llcp_sock->service_name = NULL; sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap);
.\cloneFuncs\totalClone\Type-1\CVE-2020-25671_before_1mo_1595484547_llcp_sock_connect.c
88
89
90
91
92
93
94
95
96
97
ret = sock_wait_state(sk, LLCP_CONNECTED, sock_sndtimeo(sk, flags & O_NONBLOCK)); if (ret && ret != -EINPROGRESS) goto sock_unlink; release_sock(sk); return ret;
+ show +
98
99
100
101
102
sock_unlink: nfc_llcp_sock_unlink(&local->connecting_sockets, sk); sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap);
+ show +
103
104
105
106
107
108
109
110
put_dev: nfc_put_device(dev); error: release_sock(sk); return ret; }
.\cloneFuncs\totalClone\Type-1\CVE-2020-25672_before_imd_1616644271_llcp_sock_connect.c
89
90
91
92
93
94
95
96
97
98
ret = sock_wait_state(sk, LLCP_CONNECTED, sock_sndtimeo(sk, flags & O_NONBLOCK)); if (ret && ret != -EINPROGRESS) goto sock_unlink; release_sock(sk); return ret;
+ show +
99
100
101
102
103
sock_unlink: nfc_llcp_sock_unlink(&local->connecting_sockets, sk); sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap);
+ show +
104
105
106
107
108
109
110
111
112
nfc_llcp_local_put(llcp_sock->local); put_dev: nfc_put_device(dev); error: release_sock(sk); return ret; }

[linux_CVE-2021-23134_1620112606_llcp_sock_connect.diff] llcp_sock_connect_OLD.c #1
llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; }
.\cloneFuncs\totalClone\Type-1\CVE-2020-25672_before_imd_1616644271_llcp_sock_connect.c
47
48
49
50
51
52
53
54
55
56
device_unlock(&dev->dev); if (local->rf_mode == NFC_RF_INITIATOR && addr->target_idx != local->target_idx) { ret = -ENOLINK; goto put_dev; } llcp_sock->dev = dev; llcp_sock->local = nfc_llcp_local_get(local);
+ show +
57
58
59
60
61
62
llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); ret = -ENOMEM; goto put_dev; }
+ show +
63
64
65
66
67
68
69
70
71
72
llcp_sock->reserved_ssap = llcp_sock->ssap; if (addr->service_name_len == 0) llcp_sock->dsap = addr->dsap; else llcp_sock->dsap = LLCP_SAP_SDP; llcp_sock->nfc_protocol = addr->nfc_protocol; llcp_sock->service_name_len = min_t(unsigned int, addr->service_name_len,
.\cloneFuncs\totalClone\Type-1\CVE-2021-23134_before_imd_1616644273_llcp_sock_connect.c
51
52
53
54
55
56
57
58
59
60
device_unlock(&dev->dev); if (local->rf_mode == NFC_RF_INITIATOR && addr->target_idx != local->target_idx) { ret = -ENOLINK; goto put_dev; } llcp_sock->dev = dev; llcp_sock->local = nfc_llcp_local_get(local);
+ show +
61
62
63
64
65
66
llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); ret = -ENOMEM; goto put_dev; }
+ show +
67
68
69
70
71
72
73
74
75
76
llcp_sock->reserved_ssap = llcp_sock->ssap; if (addr->service_name_len == 0) llcp_sock->dsap = addr->dsap; else llcp_sock->dsap = LLCP_SAP_SDP; llcp_sock->nfc_protocol = addr->nfc_protocol; llcp_sock->service_name_len = min_t(unsigned int, addr->service_name_len,
.\cloneFuncs\totalClone\Type-3\CVE-2020-25671_after_imd_1616644272_llcp_sock_connect.c
47
48
49
50
51
52
53
54
55
56
device_unlock(&dev->dev); if (local->rf_mode == NFC_RF_INITIATOR && addr->target_idx != local->target_idx) { ret = -ENOLINK; goto put_dev; } llcp_sock->dev = dev; llcp_sock->local = nfc_llcp_local_get(local);
+ show +
57
58
59
60
61
62
llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); ret = -ENOMEM; goto put_dev; }
+ show +
63
64
65
66
67
68
69
70
71
72
llcp_sock->reserved_ssap = llcp_sock->ssap; if (addr->service_name_len == 0) llcp_sock->dsap = addr->dsap; else llcp_sock->dsap = LLCP_SAP_SDP; llcp_sock->nfc_protocol = addr->nfc_protocol; llcp_sock->service_name_len = min_t(unsigned int, addr->service_name_len,

[linux_CVE-2021-23134_1620112606_llcp_sock_connect.diff] llcp_sock_connect_OLD.c #2
sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; put_dev: nfc_put_device(dev);
.\cloneFuncs\totalClone\Type-1\CVE-2020-25672_before_imd_1616644271_llcp_sock_connect.c
92
93
94
95
96
97
98
99
100
101
if (ret && ret != -EINPROGRESS) goto sock_unlink; release_sock(sk); return ret; sock_unlink: nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+ show +
102
103
104
105
106
107
sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); put_dev: nfc_put_device(dev);
+ show +
108
109
110
111
112
error: release_sock(sk); return ret; }
.\cloneFuncs\totalClone\Type-1\CVE-2021-23134_before_imd_1616644273_llcp_sock_connect.c
98
99
100
101
102
103
104
105
106
107
release_sock(sk); return ret; sock_unlink: nfc_llcp_sock_unlink(&local->connecting_sockets, sk); kfree(llcp_sock->service_name); llcp_sock->service_name = NULL;
+ show +
108
109
110
111
112
113
sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); put_dev: nfc_put_device(dev);
+ show +
114
115
116
117
118
error: release_sock(sk); return ret; }
.\cloneFuncs\totalClone\Type-3\CVE-2020-25671_after_imd_1616644272_llcp_sock_connect.c
94
95
96
97
98
99
100
101
102
103
release_sock(sk); return ret; sock_unlink: nfc_llcp_sock_unlink(&local->connecting_sockets, sk); kfree(llcp_sock->service_name); llcp_sock->service_name = NULL;
+ show +
104
105
106
107
108
109
sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); put_dev: nfc_put_device(dev);
+ show +
110
111
112
113
114
error: release_sock(sk); return ret; }

[linux_CVE-2020-26141_1620756176_ath10k_htt_rx_h_mpdu.diff] ath10k_htt_rx_h_mpdu_OLD.c #1
} ath10k_htt_rx_h_csum_offload(msdu); + + if (frag && !fill_crypt_header && + enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA) + status->flag &= ~RX_FLAG_MMIC_STRIPPED; + ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype, is_decrypted);
.\cloneFuncs\totalClone\Type-1\CVE-2020-26141_before_imd_1620756175_ath10k_htt_rx_h_mpdu.c
137
138
139
140
141
142
143
144
145
146
if (!frag_pn_check || !multicast_check) { /* Discard the fragment with invalid PN or multicast DA */ temp = msdu->prev; __skb_unlink(msdu, amsdu); dev_kfree_skb_any(msdu); msdu = temp; frag_pn_check = true; multicast_check = true; continue;
+ show +
147
148
149
150
151
} ath10k_htt_rx_h_csum_offload(msdu); ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype, is_decrypted);
+ show +
152
153
154
155
156
157
158
159
160
161
/* Undecapping involves copying the original 802.11 header back * to sk_buff. If frame is protected and hardware has decrypted * it then remove the protected bit. */ if (!is_decrypted) continue; if (is_mgmt) continue;

[linux_CVE-2020-26145_1620756174_ath10k_htt_rx_proc_rx_frag_ind_hl.diff] ath10k_htt_rx_proc_rx_frag_ind_hl_OLD.c #1
rx_desc = (struct htt_hl_rx_desc *)(skb->data + tot_hdr_len); rx_desc_info = __le32_to_cpu(rx_desc->info); + hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len); + + if (is_multicast_ether_addr(hdr->addr1)) { + /* Discard the fragment with multicast DA */ + goto err; + } + if (!MS(rx_desc_info, HTT_RX_DESC_HL_INFO_ENCRYPTED)) { spin_unlock_bh(&ar->data_lock); return ath10k_htt_rx_proc_rx_ind_hl(htt, &resp->rx_ind_hl, skb,
.\cloneFuncs\totalClone\Type-1\CVE-2020-26145_before_1mo_1611786224_ath10k_htt_rx_proc_rx_frag_ind_hl.c
36
37
38
39
40
41
42
43
44
45
HTT_RX_INDICATION_INFO1_NUM_MPDU_RANGES); tot_hdr_len = sizeof(struct htt_resp_hdr) + sizeof(rx_hl->hdr) + sizeof(rx_hl->ppdu) + sizeof(rx_hl->prefix) + sizeof(rx_hl->fw_desc) + sizeof(struct htt_rx_indication_mpdu_range) * num_mpdu_ranges; tid = MS(rx_hl->hdr.info0, HTT_RX_INDICATION_INFO0_EXT_TID);
+ show +
46
47
48
49
50
51
rx_desc = (struct htt_hl_rx_desc *)(skb->data + tot_hdr_len); rx_desc_info = __le32_to_cpu(rx_desc->info); if (!MS(rx_desc_info, HTT_RX_DESC_HL_INFO_ENCRYPTED)) { spin_unlock_bh(&ar->data_lock); return ath10k_htt_rx_proc_rx_ind_hl(htt, &resp->rx_ind_hl, skb,
+ show +
52
53
54
55
56
57
58
59
60
61
HTT_RX_NON_PN_CHECK, HTT_RX_NON_TKIP_MIC); } hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len); if (ieee80211_has_retry(hdr->frame_control)) goto err; hdr_space = ieee80211_hdrlen(hdr->frame_control);

[linux_CVE-2020-26145_1620756174_ath10k_htt_rx_proc_rx_frag_ind_hl.diff] ath10k_htt_rx_proc_rx_frag_ind_hl_OLD.c #2
HTT_RX_NON_TKIP_MIC); } - hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len); - if (ieee80211_has_retry(hdr->frame_control)) goto err;
.\cloneFuncs\totalClone\Type-1\CVE-2020-26145_before_1mo_1611786224_ath10k_htt_rx_proc_rx_frag_ind_hl.c
43
44
45
46
47
48
49
50
51
52
sizeof(struct htt_rx_indication_mpdu_range) * num_mpdu_ranges; tid = MS(rx_hl->hdr.info0, HTT_RX_INDICATION_INFO0_EXT_TID); rx_desc = (struct htt_hl_rx_desc *)(skb->data + tot_hdr_len); rx_desc_info = __le32_to_cpu(rx_desc->info); if (!MS(rx_desc_info, HTT_RX_DESC_HL_INFO_ENCRYPTED)) { spin_unlock_bh(&ar->data_lock); return ath10k_htt_rx_proc_rx_ind_hl(htt, &resp->rx_ind_hl, skb, HTT_RX_NON_PN_CHECK,
+ show +
53
54
55
56
57
58
59
HTT_RX_NON_TKIP_MIC); } hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len); if (ieee80211_has_retry(hdr->frame_control)) goto err;
+ show +
60
61
62
63
64
65
66
67
68
69
hdr_space = ieee80211_hdrlen(hdr->frame_control); sc = __le16_to_cpu(hdr->seq_ctrl); seq = (sc & IEEE80211_SCTL_SEQ) >> 4; frag = sc & IEEE80211_SCTL_FRAG; sec_index = MS(rx_desc_info, HTT_RX_DESC_HL_INFO_MCAST_BCAST) ? HTT_TXRX_SEC_MCAST : HTT_TXRX_SEC_UCAST; sec_type = peer->rx_pn[sec_index].sec_type; ath10k_htt_rx_mpdu_desc_pn_hl(rx_desc, &new_pn, peer->rx_pn[sec_index].pn_len);

[linux_CVE-2020-26147_1620756162_ieee80211_rx_h_defragment.diff] ieee80211_rx_h_defragment_OLD.c #1
/* This is the first fragment of a new frame. */ entry = ieee80211_reassemble_add(rx->sdata, frag, seq, rx->seqno_idx, &(rx->skb)); - if (rx->key && - (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP || - rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 || - rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP || - rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) && - ieee80211_has_protected(fc)) { + if (requires_sequential_pn(rx, fc)) { int queue = rx->security_idx; /* Store CCMP/GCMP PN so that we can verify that the
.\cloneFuncs\totalClone\Type-1\CVE-2020-26147_before_1mo_1608317238_ieee80211_rx_h_defragment.c
32
33
34
35
36
37
38
39
40
41
/* * skb_linearize() might change the skb->data and * previously cached variables (in this case, hdr) need to * be refreshed with the new data. */ hdr = (struct ieee80211_hdr *)rx->skb->data; seq = (sc & IEEE80211_SCTL_SEQ) >> 4; if (frag == 0) {
+ show +
42
43
44
45
46
47
48
49
50
51
52
53
/* This is the first fragment of a new frame. */ entry = ieee80211_reassemble_add(rx->sdata, frag, seq, rx->seqno_idx, &(rx->skb)); if (rx->key && (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP || rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 || rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP || rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) && ieee80211_has_protected(fc)) { int queue = rx->security_idx; /* Store CCMP/GCMP PN so that we can verify that the
+ show +
54
55
56
57
58
59
60
61
62
63
* next fragment has a sequential PN value. */ entry->check_sequential_pn = true; memcpy(entry->last_pn, rx->key->u.ccmp.rx_pn[queue], IEEE80211_CCMP_PN_LEN); BUILD_BUG_ON(offsetof(struct ieee80211_key, u.ccmp.rx_pn) != offsetof(struct ieee80211_key, u.gcmp.rx_pn));

[linux_CVE-2020-26147_1620756162_ieee80211_rx_h_defragment.diff] ieee80211_rx_h_defragment_OLD.c #2
u8 pn[IEEE80211_CCMP_PN_LEN], *rpn; int queue; - if (!rx->key || - (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP && - rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 && - rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP && - rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256)) + if (!requires_sequential_pn(rx, fc)) return RX_DROP_UNUSABLE; memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
.\cloneFuncs\totalClone\Type-1\CVE-2020-26147_before_1mo_1608317238_ieee80211_rx_h_defragment.c
79
80
81
82
83
84
85
86
87
88
return RX_DROP_MONITOR; } /* "The receiver shall discard MSDUs and MMPDUs whose constituent * MPDU PN values are not incrementing in steps of 1." * see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP) * and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP) */ if (entry->check_sequential_pn) { int i;
+ show +
89
90
91
92
93
94
95
96
97
98
99
u8 pn[IEEE80211_CCMP_PN_LEN], *rpn; int queue; if (!rx->key || (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP && rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 && rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP && rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256)) return RX_DROP_UNUSABLE; memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
+ show +
100
101
102
103
104
105
106
107
108
109
pn[i]++; if (pn[i]) break; } queue = rx->security_idx; rpn = rx->key->u.ccmp.rx_pn[queue]; if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN)) return RX_DROP_UNUSABLE; memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); }

[linux_CVE-2020-27820_1606336008_nouveau_drm_device_fini.diff] nouveau_drm_device_fini_OLD.c #1
static void nouveau_drm_device_fini(struct drm_device *dev) { + struct nouveau_cli *cli, *temp_cli; struct nouveau_drm *drm = nouveau_drm(dev); if (nouveau_pmops_runtime()) {
.\cloneFuncs\totalClone\Type-1\CVE-2020-27820_before_imd_1606336007_nouveau_drm_device_fini.c
+ show +
1
2
3
4
5
6
static void nouveau_drm_device_fini(struct drm_device *dev) { struct nouveau_drm *drm = nouveau_drm(dev); if (nouveau_pmops_runtime()) {
+ show +
7
8
9
10
11
12
13
14
15
16
pm_runtime_get_sync(dev->dev); pm_runtime_forbid(dev->dev); } nouveau_led_fini(dev); nouveau_fbcon_fini(dev); nouveau_dmem_fini(drm); nouveau_svm_fini(drm); nouveau_hwmon_fini(dev); nouveau_debugfs_fini(drm);
.\cloneFuncs\totalClone\Type-3\CVE-2020-27820_before_1mo_1601558460_nouveau_drm_device_fini.c
+ show +
1
2
3
4
5
6
static void nouveau_drm_device_fini(struct drm_device *dev) { struct nouveau_drm *drm = nouveau_drm(dev); if (nouveau_pmops_runtime()) {
+ show +
7
8
9
10
11
12
13
14
15
16
pm_runtime_get_sync(dev->dev); pm_runtime_forbid(dev->dev); } nouveau_led_fini(dev); nouveau_fbcon_fini(dev); nouveau_dmem_fini(drm); nouveau_svm_fini(drm); nouveau_hwmon_fini(dev); nouveau_debugfs_fini(drm);
.\cloneFuncs\totalClone\Type-3\CVE-2020-27820_before_6mo_1590466707_nouveau_drm_device_fini.c
+ show +
1
2
3
4
5
6
static void nouveau_drm_device_fini(struct drm_device *dev) { struct nouveau_drm *drm = nouveau_drm(dev); if (nouveau_pmops_runtime()) {
+ show +
7
8
9
10
11
12
13
14
15
16
pm_runtime_get_sync(dev->dev); pm_runtime_forbid(dev->dev); } nouveau_led_fini(dev); nouveau_fbcon_fini(dev); nouveau_dmem_fini(drm); nouveau_svm_fini(drm); nouveau_hwmon_fini(dev); nouveau_debugfs_fini(drm);

[linux_CVE-2020-27820_1606336008_nouveau_drm_postclose.diff] nouveau_drm_postclose_OLD.c #1
{ struct nouveau_cli *cli = nouveau_cli(fpriv); struct nouveau_drm *drm = nouveau_drm(dev); + int dev_index; + + /* + * The device is gone, and as it currently stands all clients are + * cleaned up in the removal codepath. In the future this may change + * so that we can support hot-unplugging, but for now we immediately + * return to avoid a double-free situation. + */ + if (!drm_dev_enter(dev, &dev_index)) + return; pm_runtime_get_sync(dev->dev);
.\cloneFuncs\totalClone\Type-1\CVE-2020-27820_before_imd_1606336007_nouveau_drm_postclose.c
1
2
static void nouveau_drm_postclose(struct drm_device *dev, struct drm_file *fpriv)
+ show +
3
4
5
6
7
{ struct nouveau_cli *cli = nouveau_cli(fpriv); struct nouveau_drm *drm = nouveau_drm(dev); pm_runtime_get_sync(dev->dev);
+ show +
8
9
10
11
12
13
14
15
16
17
mutex_lock(&cli->mutex); if (cli->abi16) nouveau_abi16_fini(cli->abi16); mutex_unlock(&cli->mutex); mutex_lock(&drm->clients_lock); list_del(&cli->head); mutex_unlock(&drm->clients_lock);
.\cloneFuncs\totalClone\Type-2\CVE-2020-27820_before_1mo_1601558460_nouveau_drm_postclose.c
1
2
static void nouveau_drm_postclose(struct drm_device *dev, struct drm_file *fpriv)
+ show +
3
4
5
6
7
{ struct nouveau_cli *cli = nouveau_cli(fpriv); struct nouveau_drm *drm = nouveau_drm(dev); pm_runtime_get_sync(dev->dev);
+ show +
8
9
10
11
12
13
14
15
16
17
mutex_lock(&cli->mutex); if (cli->abi16) nouveau_abi16_fini(cli->abi16); mutex_unlock(&cli->mutex); mutex_lock(&drm->client.mutex); list_del(&cli->head); mutex_unlock(&drm->client.mutex);

[linux_CVE-2020-28374_1604366518_target_xcopy_parse_target_descriptors.diff] target_xcopy_parse_target_descriptors_OLD.c #1
switch (xop->op_origin) { case XCOL_SOURCE_RECV_OP: - rc = target_xcopy_locate_se_dev_e4(xop->dst_tid_wwn, - &xop->dst_dev); + rc = target_xcopy_locate_se_dev_e4(se_cmd->se_sess, + xop->dst_tid_wwn, + &xop->dst_dev, + &xop->remote_lun_ref); break; case XCOL_DEST_RECV_OP: - rc = target_xcopy_locate_se_dev_e4(xop->src_tid_wwn, - &xop->src_dev); + rc = target_xcopy_locate_se_dev_e4(se_cmd->se_sess, + xop->src_tid_wwn, + &xop->src_dev, + &xop->remote_lun_ref); break; default: pr_err("XCOPY CSCD descriptor IDs not found in CSCD list - "
.\cloneFuncs\totalClone\Type-1\CVE-2020-28374_before_1mo_1591559913_target_xcopy_parse_target_descriptors.c
47
48
49
50
51
52
53
54
55
56
cscd_index++; break; default: pr_err("XCOPY unsupported descriptor type code:" " 0x%02x\n", desc[0]); *sense_ret = TCM_UNSUPPORTED_TARGET_DESC_TYPE_CODE; goto out; } }
+ show +
57
58
59
60
61
62
63
64
65
66
67
switch (xop->op_origin) { case XCOL_SOURCE_RECV_OP: rc = target_xcopy_locate_se_dev_e4(xop->dst_tid_wwn, &xop->dst_dev); break; case XCOL_DEST_RECV_OP: rc = target_xcopy_locate_se_dev_e4(xop->src_tid_wwn, &xop->src_dev); break; default: pr_err("XCOPY CSCD descriptor IDs not found in CSCD list - "
+ show +
68
69
70
71
72
73
74
75
76
77
"stdi: %hu dtdi: %hu\n", xop->stdi, xop->dtdi); rc = -EINVAL; break; } /* * If a matching IEEE NAA 0x83 descriptor for the requested device * is not located on this node, return COPY_ABORTED with ASQ/ASQC * 0x0d/0x02 - COPY_TARGET_DEVICE_NOT_REACHABLE to request the * initiator to fall back to normal copy method. */

[linux_CVE-2020-28588_1606721808_collect_syscall.diff] collect_syscall_OLD.c #1
static int collect_syscall(struct task_struct *target, struct syscall_info *info) { + unsigned long args[6] = { }; struct pt_regs *regs; if (!try_get_task_stack(target)) {
.\cloneFuncs\totalClone\Type-1\CVE-2020-28588_before_1mo_1478553997_collect_syscall.c
+ show +
1
2
3
4
5
static int collect_syscall(struct task_struct *target, struct syscall_info *info) { struct pt_regs *regs; if (!try_get_task_stack(target)) {
+ show +
6
7
8
9
10
11
12
13
14
15
/* Task has no stack, so the task isn't in a syscall. */ memset(info, 0, sizeof(*info)); info->data.nr = -1; return 0; } regs = task_pt_regs(target); if (unlikely(!regs)) { put_task_stack(target); return -EAGAIN;
.\cloneFuncs\totalClone\Type-2\CVE-2020-28588_before_6mo_1478553995_collect_syscall.c
+ show +
1
2
3
4
5
static int collect_syscall(struct task_struct *target, struct syscall_info *info) { struct pt_regs *regs; if (!try_get_task_stack(target)) {
+ show +
6
7
8
9
10
11
12
13
14
15
/* Task has no stack, so the task isn't in a syscall. */ memset(info, 0, sizeof(*info)); info->data.nr = -1; return 0; } regs = task_pt_regs(target); if (unlikely(!regs)) { put_task_stack(target); return -EAGAIN;

[xen_CVE-2020-29567_1608036136_irq_move_cleanup_interrupt.diff] irq_move_cleanup_interrupt_OLD.c #1
{ unsigned vector, me; - /* This interrupt should not nest inside others. */ - BUILD_BUG_ON(APIC_PRIO_CLASS(IRQ_MOVE_CLEANUP_VECTOR) != - APIC_PRIO_CLASS(FIRST_DYNAMIC_VECTOR)); - ack_APIC_irq(); me = smp_processor_id();
.\cloneFuncs\totalClone\Type-1\CVE-2020-29567_before_1mo_1605015375_irq_move_cleanup_interrupt.c
1
void irq_move_cleanup_interrupt(struct cpu_user_regs *regs)
+ show +
2
3
4
5
6
7
8
9
10
11
{ unsigned vector, me; /* This interrupt should not nest inside others. */ BUILD_BUG_ON(APIC_PRIO_CLASS(IRQ_MOVE_CLEANUP_VECTOR) != APIC_PRIO_CLASS(FIRST_DYNAMIC_VECTOR)); ack_APIC_irq(); me = smp_processor_id();
+ show +
12
13
14
15
16
17
18
19
20
21
if ( !cpu_online(me) ) return; for ( vector = FIRST_DYNAMIC_VECTOR; vector <= LAST_HIPRIORITY_VECTOR; vector++) { unsigned int irq; unsigned int irr; struct irq_desc *desc; irq = per_cpu(vector_irq, me)[vector];

[xen_CVE-2020-29567_1608036136_irq_move_cleanup_interrupt.diff] irq_move_cleanup_interrupt_OLD.c #2
*/ if ( irr & (1u << (vector % 32)) ) { + if ( vector < IRQ_MOVE_CLEANUP_VECTOR ) + { + ASSERT_UNREACHABLE(); + goto unlock; + } send_IPI_self(IRQ_MOVE_CLEANUP_VECTOR); TRACE_3D(TRC_HW_IRQ_MOVE_CLEANUP_DELAY, irq, vector, smp_processor_id());
.\cloneFuncs\totalClone\Type-1\CVE-2020-29567_before_1mo_1605015375_irq_move_cleanup_interrupt.c
39
40
41
42
43
44
45
46
47
48
cpumask_test_cpu(me, desc->arch.cpu_mask) ) goto unlock; irr = apic_read(APIC_IRR + (vector / 32 * 0x10)); /* * Check if the vector that needs to be cleanedup is * registered at the cpu's IRR. If so, then this is not * the best time to clean it up. Lets clean it up in the * next attempt by sending another IRQ_MOVE_CLEANUP_VECTOR * to myself.
+ show +
49
50
51
52
53
54
*/ if ( irr & (1u << (vector % 32)) ) { send_IPI_self(IRQ_MOVE_CLEANUP_VECTOR); TRACE_3D(TRC_HW_IRQ_MOVE_CLEANUP_DELAY, irq, vector, smp_processor_id());
+ show +
55
56
57
58
59
60
61
62
63
64
goto unlock; } TRACE_3D(TRC_HW_IRQ_MOVE_CLEANUP, irq, vector, smp_processor_id()); per_cpu(vector_irq, me)[vector] = ~irq; desc->arch.move_cleanup_count--; if ( desc->arch.move_cleanup_count == 0 )

[xen_CVE-2020-29570_1608036397_map_control_block.diff] map_control_block_OLD.c #1
static int map_control_block(struct vcpu *v, uint64_t gfn, uint32_t offset) { void *virt; + struct evtchn_fifo_control_block *control_block; unsigned int i; int rc;
.\cloneFuncs\totalClone\Type-1\CVE-2020-29570_before_1mo_1603440595_map_control_block.c
+ show +
1
2
3
4
5
static int map_control_block(struct vcpu *v, uint64_t gfn, uint32_t offset) { void *virt; unsigned int i; int rc;
+ show +
6
7
8
9
10
11
12
13
14
15
if ( v->evtchn_fifo->control_block ) return -EINVAL; rc = map_guest_page(v->domain, gfn, &virt); if ( rc < 0 ) return rc; v->evtchn_fifo->control_block = virt + offset;

[xen_CVE-2020-29571_1608036171_evtchn_fifo_word_from_port.diff] evtchn_fifo_word_from_port_OLD.c #1
{ unsigned int p, w; + /* + * Callers aren't required to hold d->event_lock, so we need to synchronize + * with evtchn_fifo_init_control() setting d->evtchn_port_ops /after/ + * d->evtchn_fifo. + */ + smp_rmb(); + if ( unlikely(port >= d->evtchn_fifo->num_evtchns) ) return NULL;
.\cloneFuncs\totalClone\Type-1\CVE-2020-29571_before_1mo_1603440595_evtchn_fifo_word_from_port.c
1
2
static inline event_word_t *evtchn_fifo_word_from_port(const struct domain *d, unsigned int port)
+ show +
3
4
5
6
7
{ unsigned int p, w; if ( unlikely(port >= d->evtchn_fifo->num_evtchns) ) return NULL;
+ show +
8
9
10
11
12
13
14
15
16
17
/* * Callers aren't required to hold d->event_lock, so we need to synchronize * with add_page_to_event_array(). */ smp_rmb(); p = array_index_nospec(port / EVTCHN_FIFO_EVENT_WORDS_PER_PAGE, d->evtchn_fifo->num_evtchns); w = port % EVTCHN_FIFO_EVENT_WORDS_PER_PAGE;

[qemu_CVE-2021-20263_1614196585_lo_do_open.diff] lo_do_open_OLD.c #1
if (fd < 0) { return -fd; } + if (fi->flags & (O_TRUNC)) { + int err = drop_security_capability(lo, fd); + if (err) { + close(fd); + return err; + } + } } pthread_mutex_lock(&lo->mutex);
.\cloneFuncs\totalClone\Type-1\CVE-2020-35517_after_imd_1612545491_lo_do_open.c
1
2
3
4
5
6
7
8
9
10
static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, int existing_fd, struct fuse_file_info *fi) { ssize_t fh; int fd = existing_fd; update_open_flags(lo->writeback, lo->allow_direct_io, fi); if (fd < 0) { fd = lo_inode_open(lo, inode, fi->flags);
+ show +
11
12
13
14
15
16
if (fd < 0) { return -fd; } } pthread_mutex_lock(&lo->mutex);
+ show +
17
18
19
20
21
22
23
24
25
26
fh = lo_add_fd_mapping(lo, fd); pthread_mutex_unlock(&lo->mutex); if (fh == -1) { close(fd); return ENOMEM; } fi->fh = fh; if (lo->cache == CACHE_NONE) { fi->direct_io = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2021-20263_before_imd_1612824024_lo_do_open.c
17
18
19
20
21
22
23
24
25
26
} } fd = lo_inode_open(lo, inode, fi->flags); if (cap_fsetid_dropped) { if (gain_effective_cap("FSETID")) { fuse_log(FUSE_LOG_ERR, "Failed to gain CAP_FSETID\n"); } }
+ show +
27
28
29
30
31
32
if (fd < 0) { return -fd; } } pthread_mutex_lock(&lo->mutex);
+ show +
33
34
35
36
37
38
39
40
41
42
fh = lo_add_fd_mapping(lo, fd); pthread_mutex_unlock(&lo->mutex); if (fh == -1) { close(fd); return ENOMEM; } fi->fh = fh; if (lo->cache == CACHE_NONE) { fi->direct_io = 1;

[qemu_CVE-2020-35517_1612450928_lookup_create_plock_ctx.diff] lookup_create_plock_ctx_OLD.c #1
pid_t pid, int *err) { struct lo_inode_plock *plock; - char procname[64]; int fd; plock =
.\cloneFuncs\totalClone\Type-1\CVE-2020-35517_before_1mo_1607413176_lookup_create_plock_ctx.c
1
2
3
static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo, struct lo_inode *inode, uint64_t lock_owner,
+ show +
4
5
6
7
8
9
10
pid_t pid, int *err) { struct lo_inode_plock *plock; char procname[64]; int fd; plock =
+ show +
11
12
13
14
15
16
17
18
19
20
g_hash_table_lookup(inode->posix_locks, GUINT_TO_POINTER(lock_owner)); if (plock) { return plock; } plock = malloc(sizeof(struct lo_inode_plock)); if (!plock) { *err = ENOMEM; return NULL;

[qemu_CVE-2020-35517_1612450928_lo_setattr.diff] lo_setattr_OLD.c #1
if (fi) { truncfd = fd; } else { - sprintf(procname, "%i", ifd); - truncfd = openat(lo->proc_self_fd, procname, O_RDWR); + truncfd = lo_inode_open(lo, inode, O_RDWR); if (truncfd < 0) { + errno = -truncfd; goto out_err; } }
.\cloneFuncs\totalClone\Type-1\CVE-2020-35517_before_1mo_1607413176_lo_setattr.c
38
39
40
41
42
43
44
45
46
47
gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1; res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); if (res == -1) { goto out_err; } } if (valid & FUSE_SET_ATTR_SIZE) { int truncfd;
+ show +
48
49
50
51
52
53
54
55
56
if (fi) { truncfd = fd; } else { sprintf(procname, "%i", ifd); truncfd = openat(lo->proc_self_fd, procname, O_RDWR); if (truncfd < 0) { goto out_err; } }
+ show +
57
58
59
60
61
62
63
64
65
66
res = ftruncate(truncfd, attr->st_size); if (!fi) { saverr = errno; close(truncfd); errno = saverr; } if (res == -1) { goto out_err; }
.\cloneFuncs\totalClone\Type-2\CVE-2020-35517_before_6mo_1593431660_lo_setattr.c
38
39
40
41
42
43
44
45
46
47
gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1; res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); if (res == -1) { goto out_err; } } if (valid & FUSE_SET_ATTR_SIZE) { int truncfd;
+ show +
48
49
50
51
52
53
54
55
56
if (fi) { truncfd = fd; } else { sprintf(procname, "%i", ifd); truncfd = openat(lo->proc_self_fd, procname, O_RDWR); if (truncfd < 0) { goto out_err; } }
+ show +
57
58
59
60
61
62
63
64
65
66
res = ftruncate(truncfd, attr->st_size); if (!fi) { saverr = errno; close(truncfd); errno = saverr; } if (res == -1) { goto out_err; }

[qemu_CVE-2020-35517_1612450928_lo_create.diff] lo_create_OLD.c #1
static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, mode_t mode, struct fuse_file_info *fi) { - int fd; + int fd = -1; struct lo_data *lo = lo_data(req); struct lo_inode *parent_inode; + struct lo_inode *inode = NULL; struct fuse_entry_param e; int err; struct lo_cred old = {};
.\cloneFuncs\totalClone\Type-1\CVE-2020-35517_before_imd_1612450927_lo_create.c
+ show +
1
2
3
4
5
6
7
8
9
static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, mode_t mode, struct fuse_file_info *fi) { int fd; struct lo_data *lo = lo_data(req); struct lo_inode *parent_inode; struct fuse_entry_param e; int err; struct lo_cred old = {};
+ show +
10
11
12
13
14
15
16
17
18
19
fuse_log(FUSE_LOG_DEBUG, "lo_create(parent=%" PRIu64 ", name=%s)\n", parent, name); if (!is_safe_path_component(name)) { fuse_reply_err(req, EINVAL); return; } parent_inode = lo_inode(req, parent);
.\cloneFuncs\totalClone\Type-2\CVE-2020-35517_before_1mo_1607413176_lo_create.c
+ show +
1
2
3
4
5
6
7
8
9
static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, mode_t mode, struct fuse_file_info *fi) { int fd; struct lo_data *lo = lo_data(req); struct lo_inode *parent_inode; struct fuse_entry_param e; int err; struct lo_cred old = {};
+ show +
10
11
12
13
14
15
16
17
18
19
fuse_log(FUSE_LOG_DEBUG, "lo_create(parent=%" PRIu64 ", name=%s)\n", parent, name); if (!is_safe_path_component(name)) { fuse_reply_err(req, EINVAL); return; } parent_inode = lo_inode(req, parent);
.\cloneFuncs\totalClone\Type-2\CVE-2020-35517_before_6mo_1593431660_lo_create.c
+ show +
1
2
3
4
5
6
7
8
9
static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, mode_t mode, struct fuse_file_info *fi) { int fd; struct lo_data *lo = lo_data(req); struct lo_inode *parent_inode; struct fuse_entry_param e; int err; struct lo_cred old = {};
+ show +
10
11
12
13
14
15
16
17
18
19
fuse_log(FUSE_LOG_DEBUG, "lo_create(parent=%" PRIu64 ", name=%s)\n", parent, name); if (!is_safe_path_component(name)) { fuse_reply_err(req, EINVAL); return; } parent_inode = lo_inode(req, parent);

[qemu_CVE-2020-35517_1612450928_lo_do_open.diff] lo_do_open_OLD.c #1
static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, - struct fuse_file_info *fi) + int existing_fd, struct fuse_file_info *fi) { - char buf[64]; ssize_t fh; - int fd; + int fd = existing_fd; update_open_flags(lo->writeback, lo->allow_direct_io, fi); - sprintf(buf, "%i", inode->fd); - fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW); - if (fd == -1) { - return errno; + if (fd < 0) { + fd = lo_inode_open(lo, inode, fi->flags); + if (fd < 0) { + return -fd; + } } pthread_mutex_lock(&lo->mutex);
.\cloneFuncs\totalClone\Type-1\CVE-2020-35517_before_imd_1612450927_lo_do_open.c
+ show +
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, struct fuse_file_info *fi) { char buf[64]; ssize_t fh; int fd; update_open_flags(lo->writeback, lo->allow_direct_io, fi); sprintf(buf, "%i", inode->fd); fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW); if (fd == -1) { return errno; } pthread_mutex_lock(&lo->mutex);
+ show +
17
18
19
20
21
22
23
24
25
26
fh = lo_add_fd_mapping(lo, fd); pthread_mutex_unlock(&lo->mutex); if (fh == -1) { close(fd); return ENOMEM; } fi->fh = fh; if (lo->cache == CACHE_NONE) { fi->direct_io = 1;

[linux_CVE-2020-8648_1581322291_paste_selection.diff] paste_selection_OLD.c #1
tty_buffer_lock_exclusive(&vc->port); add_wait_queue(&vc->paste_wait, &wait); + mutex_lock(&sel_lock); while (sel_buffer && sel_buffer_lth > pasted) { set_current_state(TASK_INTERRUPTIBLE); if (signal_pending(current)) {
.\cloneFuncs\totalClone\Type-1\CVE-2020-8648_before_imd_1581322290_paste_selection.c
7
8
9
10
11
12
13
14
15
16
DECLARE_WAITQUEUE(wait, current); int ret = 0; console_lock(); poke_blanked_console(); console_unlock(); ld = tty_ldisc_ref_wait(tty); if (!ld) return -EIO; /* ldisc was hung up */
+ show +
17
18
19
20
21
22
tty_buffer_lock_exclusive(&vc->port); add_wait_queue(&vc->paste_wait, &wait); while (sel_buffer && sel_buffer_lth > pasted) { set_current_state(TASK_INTERRUPTIBLE); if (signal_pending(current)) {
+ show +
23
24
25
26
27
28
29
30
31
32
ret = -EINTR; break; } if (tty_throttled(tty)) { schedule(); continue; } __set_current_state(TASK_RUNNING); count = sel_buffer_lth - pasted; count = tty_ldisc_receive_buf(ld, sel_buffer + pasted, NULL,

[linux_CVE-2020-8648_1581322291_paste_selection.diff] paste_selection_OLD.c #2
break; } if (tty_throttled(tty)) { + mutex_unlock(&sel_lock); schedule(); + mutex_lock(&sel_lock); continue; } __set_current_state(TASK_RUNNING);
.\cloneFuncs\totalClone\Type-1\CVE-2020-8648_before_imd_1581322290_paste_selection.c
14
15
16
17
18
19
20
21
22
23
ld = tty_ldisc_ref_wait(tty); if (!ld) return -EIO; /* ldisc was hung up */ tty_buffer_lock_exclusive(&vc->port); add_wait_queue(&vc->paste_wait, &wait); while (sel_buffer && sel_buffer_lth > pasted) { set_current_state(TASK_INTERRUPTIBLE); if (signal_pending(current)) { ret = -EINTR;
+ show +
24
25
26
27
28
29
30
break; } if (tty_throttled(tty)) { schedule(); continue; } __set_current_state(TASK_RUNNING);
+ show +
31
32
33
34
35
36
37
38
39
40
count = sel_buffer_lth - pasted; count = tty_ldisc_receive_buf(ld, sel_buffer + pasted, NULL, count); pasted += count; } remove_wait_queue(&vc->paste_wait, &wait); __set_current_state(TASK_RUNNING); tty_buffer_unlock_exclusive(&vc->port); tty_ldisc_deref(ld);

[linux_CVE-2020-8648_1581322291_paste_selection.diff] paste_selection_OLD.c #3
count); pasted += count; } + mutex_unlock(&sel_lock); remove_wait_queue(&vc->paste_wait, &wait); __set_current_state(TASK_RUNNING);
.\cloneFuncs\totalClone\Type-1\CVE-2020-8648_before_imd_1581322290_paste_selection.c
23
24
25
26
27
28
29
30
31
32
ret = -EINTR; break; } if (tty_throttled(tty)) { schedule(); continue; } __set_current_state(TASK_RUNNING); count = sel_buffer_lth - pasted; count = tty_ldisc_receive_buf(ld, sel_buffer + pasted, NULL,
+ show +
33
34
35
36
37
count); pasted += count; } remove_wait_queue(&vc->paste_wait, &wait); __set_current_state(TASK_RUNNING);
+ show +
38
39
40
41
42
tty_buffer_unlock_exclusive(&vc->port); tty_ldisc_deref(ld); return ret; }
.\cloneFuncs\totalClone\Type-3\CVE-2020-8648_before_1mo_1555503673_paste_selection.c
18
19
20
21
22
23
24
25
26
27
add_wait_queue(&vc->paste_wait, &wait); while (sel_buffer && sel_buffer_lth > pasted) { set_current_state(TASK_INTERRUPTIBLE); if (tty_throttled(tty)) { schedule(); continue; } __set_current_state(TASK_RUNNING); count = sel_buffer_lth - pasted; count = tty_ldisc_receive_buf(ld, sel_buffer + pasted, NULL,
+ show +
28
29
30
31
32
count); pasted += count; } remove_wait_queue(&vc->paste_wait, &wait); __set_current_state(TASK_RUNNING);
+ show +
33
34
35
36
37
tty_buffer_unlock_exclusive(&vc->port); tty_ldisc_deref(ld); return 0; }

[qemu_CVE-2021-20181_1610640252_v9fs_mark_fids_unreclaim.diff] v9fs_mark_fids_unreclaim_OLD.c #1
{ int err; V9fsState *s = pdu->s; - V9fsFidState *fidp, head_fid; + V9fsFidState *fidp; - head_fid.next = s->fid_list; +again: for (fidp = s->fid_list; fidp; fidp = fidp->next) { if (fidp->path.size != path->size) { continue;
.\cloneFuncs\totalClone\Type-1\CVE-2021-20181_before_1mo_1599411032_v9fs_mark_fids_unreclaim.c
1
static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ show +
2
3
4
5
6
7
8
9
10
{ int err; V9fsState *s = pdu->s; V9fsFidState *fidp, head_fid; head_fid.next = s->fid_list; for (fidp = s->fid_list; fidp; fidp = fidp->next) { if (fidp->path.size != path->size) { continue;
+ show +
11
12
13
14
15
16
17
18
19
20
} if (!memcmp(fidp->path.data, path->data, path->size)) { /* Mark the fid non reclaimable. */ fidp->flags |= FID_NON_RECLAIMABLE; /* reopen the file/dir if already closed */ err = v9fs_reopen_fid(pdu, fidp); if (err < 0) { return err; }

[qemu_CVE-2021-20203_1612012612_vmxnet3_activate_device.diff] vmxnet3_activate_device_OLD.c #1
vmxnet3_setup_rx_filtering(s); /* Cache fields from shared memory */ s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); + assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); VMW_CFPRN("MTU is %u", s->mtu); s->max_rx_frags =
.\cloneFuncs\totalClone\Type-1\CVE-2021-20203_before_imd_1626876959_vmxnet3_activate_device.c
25
26
27
28
29
30
31
32
33
34
VMXNET3_READ_DRV_SHARED8(d, s->drv_shmem, devRead.misc.numRxQueues); VMW_CFPRN("Number of TX/RX queues %u/%u", s->txq_num, s->rxq_num); if (!vmxnet3_validate_queues(s)) { return; } vmxnet3_adjust_by_guest_type(s); vmxnet3_update_features(s); vmxnet3_update_pm_state(s);
+ show +
35
36
37
38
39
40
vmxnet3_setup_rx_filtering(s); /* Cache fields from shared memory */ s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); VMW_CFPRN("MTU is %u", s->mtu); s->max_rx_frags =
+ show +
41
42
43
44
45
46
47
48
49
50
VMXNET3_READ_DRV_SHARED16(d, s->drv_shmem, devRead.misc.maxNumRxSG); if (s->max_rx_frags == 0) { s->max_rx_frags = 1; } VMW_CFPRN("Max RX fragments is %u", s->max_rx_frags); s->event_int_idx = VMXNET3_READ_DRV_SHARED8(d, s->drv_shmem, devRead.intrConf.eventIntrIdx);
.\cloneFuncs\totalClone\Type-3\CVE-2021-20203_before_1mo_1598908053_vmxnet3_activate_device.c
15
16
17
18
19
20
21
22
23
24
/* Verify if device is active */ if (s->device_active) { VMW_CFPRN("Vmxnet3 device is active"); return; } vmxnet3_adjust_by_guest_type(s); vmxnet3_update_features(s); vmxnet3_update_pm_state(s);
+ show +
25
26
27
28
29
30
vmxnet3_setup_rx_filtering(s); /* Cache fields from shared memory */ s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); VMW_CFPRN("MTU is %u", s->mtu); s->max_rx_frags =
+ show +
31
32
33
34
35
36
37
38
39
40
VMXNET3_READ_DRV_SHARED16(d, s->drv_shmem, devRead.misc.maxNumRxSG); if (s->max_rx_frags == 0) { s->max_rx_frags = 1; } VMW_CFPRN("Max RX fragments is %u", s->max_rx_frags); s->event_int_idx = VMXNET3_READ_DRV_SHARED8(d, s->drv_shmem, devRead.intrConf.eventIntrIdx);

[qemu_CVE-2021-20203_1612012612_vmxnet3_activate_device.diff] vmxnet3_activate_device_OLD.c #2
/* Read rings memory locations for TX queues */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); + if (size > VMXNET3_TX_RING_MAX_SIZE) { + size = VMXNET3_TX_RING_MAX_SIZE; + } vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, sizeof(struct Vmxnet3_TxDesc), false);
.\cloneFuncs\totalClone\Type-1\CVE-2021-20203_before_imd_1626876959_vmxnet3_activate_device.c
70
71
72
73
74
75
76
77
78
79
hwaddr qdescr_pa = qdescr_table_pa + i * sizeof(struct Vmxnet3_TxQueueDesc); /* Read interrupt number for this TX queue */ s->txq_descr[i].intr_idx = VMXNET3_READ_TX_QUEUE_DESCR8(d, qdescr_pa, conf.intrIdx); assert(vmxnet3_verify_intx(s, s->txq_descr[i].intr_idx)); VMW_CFPRN("TX Queue %d interrupt: %d", i, s->txq_descr[i].intr_idx);
+ show +
80
81
82
83
84
85
/* Read rings memory locations for TX queues */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, sizeof(struct Vmxnet3_TxDesc), false);
+ show +
86
87
88
89
90
91
92
93
94
95
VMXNET3_RING_DUMP(VMW_CFPRN, "TX", i, &s->txq_descr[i].tx_ring); s->max_tx_frags += size; /* TXC ring */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_TxCompDesc), true); VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
.\cloneFuncs\totalClone\Type-3\CVE-2021-20203_before_1mo_1598908053_vmxnet3_activate_device.c
68
69
70
71
72
73
74
75
76
77
hwaddr qdescr_pa = qdescr_table_pa + i * sizeof(struct Vmxnet3_TxQueueDesc); /* Read interrupt number for this TX queue */ s->txq_descr[i].intr_idx = VMXNET3_READ_TX_QUEUE_DESCR8(d, qdescr_pa, conf.intrIdx); assert(vmxnet3_verify_intx(s, s->txq_descr[i].intr_idx)); VMW_CFPRN("TX Queue %d interrupt: %d", i, s->txq_descr[i].intr_idx);
+ show +
78
79
80
81
82
83
/* Read rings memory locations for TX queues */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, sizeof(struct Vmxnet3_TxDesc), false);
+ show +
84
85
86
87
88
89
90
91
92
93
VMXNET3_RING_DUMP(VMW_CFPRN, "TX", i, &s->txq_descr[i].tx_ring); s->max_tx_frags += size; /* TXC ring */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_TxCompDesc), true); VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);

[qemu_CVE-2021-20203_1612012612_vmxnet3_activate_device.diff] vmxnet3_activate_device_OLD.c #3
/* TXC ring */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); + if (size > VMXNET3_TC_RING_MAX_SIZE) { + size = VMXNET3_TC_RING_MAX_SIZE; + } vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_TxCompDesc), true); VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
.\cloneFuncs\totalClone\Type-1\CVE-2021-20203_before_imd_1626876959_vmxnet3_activate_device.c
80
81
82
83
84
85
86
87
88
89
/* Read rings memory locations for TX queues */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, sizeof(struct Vmxnet3_TxDesc), false); VMXNET3_RING_DUMP(VMW_CFPRN, "TX", i, &s->txq_descr[i].tx_ring); s->max_tx_frags += size;
+ show +
90
91
92
93
94
95
/* TXC ring */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_TxCompDesc), true); VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
+ show +
96
97
98
99
100
101
102
103
104
105
s->txq_descr[i].tx_stats_pa = qdescr_pa + offsetof(struct Vmxnet3_TxQueueDesc, stats); memset(&s->txq_descr[i].txq_stats, 0, sizeof(s->txq_descr[i].txq_stats)); /* Fill device-managed parameters for queues */ VMXNET3_WRITE_TX_QUEUE_DESCR32(d, qdescr_pa, ctrl.txThreshold,
.\cloneFuncs\totalClone\Type-3\CVE-2021-20203_before_1mo_1598908053_vmxnet3_activate_device.c
78
79
80
81
82
83
84
85
86
87
/* Read rings memory locations for TX queues */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, sizeof(struct Vmxnet3_TxDesc), false); VMXNET3_RING_DUMP(VMW_CFPRN, "TX", i, &s->txq_descr[i].tx_ring); s->max_tx_frags += size;
+ show +
88
89
90
91
92
93
/* TXC ring */ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_TxCompDesc), true); VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
+ show +
94
95
96
97
98
99
100
101
102
103
s->txq_descr[i].tx_stats_pa = qdescr_pa + offsetof(struct Vmxnet3_TxQueueDesc, stats); memset(&s->txq_descr[i].txq_stats, 0, sizeof(s->txq_descr[i].txq_stats)); /* Fill device-managed parameters for queues */ VMXNET3_WRITE_TX_QUEUE_DESCR32(d, qdescr_pa, ctrl.txThreshold,

[qemu_CVE-2021-20203_1612012612_vmxnet3_activate_device.diff] vmxnet3_activate_device_OLD.c #4
/* RX rings */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); + if (size > VMXNET3_RX_RING_MAX_SIZE) { + size = VMXNET3_RX_RING_MAX_SIZE; + } vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, sizeof(struct Vmxnet3_RxDesc), false); VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
.\cloneFuncs\totalClone\Type-1\CVE-2021-20203_before_imd_1626876959_vmxnet3_activate_device.c
121
122
123
124
125
126
127
128
129
130
/* Read interrupt number for this RX queue */ s->rxq_descr[i].intr_idx = VMXNET3_READ_TX_QUEUE_DESCR8(d, qd_pa, conf.intrIdx); assert(vmxnet3_verify_intx(s, s->rxq_descr[i].intr_idx)); VMW_CFPRN("RX Queue %d interrupt: %d", i, s->rxq_descr[i].intr_idx); /* Read rings memory locations */ for (j = 0; j < VMXNET3_RX_RINGS_PER_QUEUE; j++) {
+ show +
131
132
133
134
135
136
/* RX rings */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, sizeof(struct Vmxnet3_RxDesc), false); VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
+ show +
137
138
139
140
141
142
143
144
145
146
i, j, pa, size); } /* RXC ring */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_RxCompDesc), true); VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
.\cloneFuncs\totalClone\Type-3\CVE-2021-20203_before_1mo_1598908053_vmxnet3_activate_device.c
119
120
121
122
123
124
125
126
127
128
/* Read interrupt number for this RX queue */ s->rxq_descr[i].intr_idx = VMXNET3_READ_TX_QUEUE_DESCR8(d, qd_pa, conf.intrIdx); assert(vmxnet3_verify_intx(s, s->rxq_descr[i].intr_idx)); VMW_CFPRN("RX Queue %d interrupt: %d", i, s->rxq_descr[i].intr_idx); /* Read rings memory locations */ for (j = 0; j < VMXNET3_RX_RINGS_PER_QUEUE; j++) {
+ show +
129
130
131
132
133
134
/* RX rings */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, sizeof(struct Vmxnet3_RxDesc), false); VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
+ show +
135
136
137
138
139
140
141
142
143
144
i, j, pa, size); } /* RXC ring */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_RxCompDesc), true); VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);

[qemu_CVE-2021-20203_1612012612_vmxnet3_activate_device.diff] vmxnet3_activate_device_OLD.c #5
/* RXC ring */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); + if (size > VMXNET3_RC_RING_MAX_SIZE) { + size = VMXNET3_RC_RING_MAX_SIZE; + } vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_RxCompDesc), true); VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
.\cloneFuncs\totalClone\Type-1\CVE-2021-20203_before_imd_1626876959_vmxnet3_activate_device.c
130
131
132
133
134
135
136
137
138
139
for (j = 0; j < VMXNET3_RX_RINGS_PER_QUEUE; j++) { /* RX rings */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, sizeof(struct Vmxnet3_RxDesc), false); VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", i, j, pa, size); }
+ show +
140
141
142
143
144
145
/* RXC ring */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_RxCompDesc), true); VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
+ show +
146
147
148
149
150
151
152
153
154
155
s->rxq_descr[i].rx_stats_pa = qd_pa + offsetof(struct Vmxnet3_RxQueueDesc, stats); memset(&s->rxq_descr[i].rxq_stats, 0, sizeof(s->rxq_descr[i].rxq_stats)); } vmxnet3_validate_interrupts(s); /* Make sure everything is in place before device activation */
.\cloneFuncs\totalClone\Type-3\CVE-2021-20203_before_1mo_1598908053_vmxnet3_activate_device.c
128
129
130
131
132
133
134
135
136
137
for (j = 0; j < VMXNET3_RX_RINGS_PER_QUEUE; j++) { /* RX rings */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, sizeof(struct Vmxnet3_RxDesc), false); VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", i, j, pa, size); }
+ show +
138
139
140
141
142
143
/* RXC ring */ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, sizeof(struct Vmxnet3_RxCompDesc), true); VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
+ show +
144
145
146
147
148
149
150
151
152
153
s->rxq_descr[i].rx_stats_pa = qd_pa + offsetof(struct Vmxnet3_RxQueueDesc, stats); memset(&s->rxq_descr[i].rxq_stats, 0, sizeof(s->rxq_descr[i].rxq_stats)); } vmxnet3_validate_interrupts(s); /* Make sure everything is in place before device activation */

[qemu_CVE-2021-20221_1612089241_gic_dist_writel.diff] gic_dist_writel_OLD.c #1
int target_cpu; cpu = gic_get_current_cpu(s); - irq = value & 0x3ff; + irq = value & 0xf; switch ((value >> 24) & 3) { case 0: mask = (value >> 16) & ALL_CPU_MASK;
.\cloneFuncs\totalClone\Type-1\CVE-2021-20221_before_1mo_1582537162_gic_dist_writel.c
1
2
3
4
5
6
7
8
static void gic_dist_writel(void *opaque, hwaddr offset, uint32_t value, MemTxAttrs attrs) { GICState *s = (GICState *)opaque; if (offset == 0xf00) { int cpu; int irq; int mask;
+ show +
9
10
11
12
13
14
15
int target_cpu; cpu = gic_get_current_cpu(s); irq = value & 0x3ff; switch ((value >> 24) & 3) { case 0: mask = (value >> 16) & ALL_CPU_MASK;
+ show +
16
17
18
19
20
21
22
23
24
25
break; case 1: mask = ALL_CPU_MASK ^ (1 << cpu); break; case 2: mask = 1 << cpu; break; default: DPRINTF("Bad Soft Int target filter\n"); mask = ALL_CPU_MASK;

[qemu_CVE-2021-20263_1614196585_parse_xattrmap.diff] parse_xattrmap_OLD.c #1
{ const char *map = lo->xattrmap; const char *tmp; + int ret; lo->xattr_map_nentries = 0; while (*map) {
.\cloneFuncs\totalClone\Type-1\CVE-2021-20263_before_1mo_1607413176_parse_xattrmap.c
1
static void parse_xattrmap(struct lo_data *lo)
+ show +
2
3
4
5
6
7
{ const char *map = lo->xattrmap; const char *tmp; lo->xattr_map_nentries = 0; while (*map) {
+ show +
8
9
10
11
12
13
14
15
16
17
XattrMapEntry tmp_entry; char sep; if (isspace(*map)) { map++; continue; } /* The separator is the first non-space of the rule */ sep = *map++; if (!sep) {

[qemu_CVE-2021-20263_1614196585_parse_xattrmap.diff] parse_xattrmap_OLD.c #2
* the last entry. */ parse_xattrmap_map(lo, map, sep); - return; + break; } else { fuse_log(FUSE_LOG_ERR, "%s: Unexpected type;"
.\cloneFuncs\totalClone\Type-1\CVE-2021-20263_before_1mo_1607413176_parse_xattrmap.c
22
23
24
25
26
27
28
29
30
31
/* Start of 'type' */ if (strstart(map, "prefix", &map)) { tmp_entry.flags |= XATTR_MAP_FLAG_PREFIX; } else if (strstart(map, "ok", &map)) { tmp_entry.flags |= XATTR_MAP_FLAG_OK; } else if (strstart(map, "bad", &map)) { tmp_entry.flags |= XATTR_MAP_FLAG_BAD; } else if (strstart(map, "map", &map)) { /* * map is sugar that adds a number of rules, and must be
+ show +
32
33
34
35
36
37
38
* the last entry. */ parse_xattrmap_map(lo, map, sep); return; } else { fuse_log(FUSE_LOG_ERR, "%s: Unexpected type;"
+ show +
39
40
41
42
43
44
45
46
47
48
"Expecting 'prefix', 'ok', 'bad' or 'map' in rule %zu\n", __func__, lo->xattr_map_nentries); exit(1); } if (*map++ != sep) { fuse_log(FUSE_LOG_ERR, "%s: Missing '%c' at end of type field of rule %zu\n", __func__, sep, lo->xattr_map_nentries); exit(1);

[qemu_CVE-2021-20263_1614196585_lo_setattr.diff] lo_setattr_OLD.c #1
uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1; gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1; + saverr = drop_security_capability(lo, ifd); + if (saverr) { + goto out_err; + } + res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); if (res == -1) { saverr = errno;
.\cloneFuncs\totalClone\Type-1\CVE-2021-20263_before_imd_1612824024_lo_setattr.c
28
29
30
31
32
33
34
35
36
37
} else { sprintf(procname, "%i", ifd); res = fchmodat(lo->proc_self_fd, procname, attr->st_mode, 0); } if (res == -1) { saverr = errno; goto out_err; } } if (valid & (FUSE_SET_ATTR_UID | FUSE_SET_ATTR_GID)) {
+ show +
38
39
40
41
42
43
uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1; gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1; res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); if (res == -1) { saverr = errno;
+ show +
44
45
46
47
48
49
50
51
52
53
goto out_err; } } if (valid & FUSE_SET_ATTR_SIZE) { int truncfd; bool kill_suidgid; bool cap_fsetid_dropped = false; kill_suidgid = lo->killpriv_v2 && (valid & FUSE_SET_ATTR_KILL_SUIDGID); if (fi) {

[qemu_CVE-2021-20263_1614196585_lo_setattr.diff] lo_setattr_OLD.c #2
} } + saverr = drop_security_capability(lo, truncfd); + if (saverr) { + if (!fi) { + close(truncfd); + } + goto out_err; + } + if (kill_suidgid) { res = drop_effective_cap("FSETID", &cap_fsetid_dropped); if (res != 0) {
.\cloneFuncs\totalClone\Type-1\CVE-2021-20263_before_imd_1612824024_lo_setattr.c
50
51
52
53
54
55
56
57
58
59
bool cap_fsetid_dropped = false; kill_suidgid = lo->killpriv_v2 && (valid & FUSE_SET_ATTR_KILL_SUIDGID); if (fi) { truncfd = fd; } else { truncfd = lo_inode_open(lo, inode, O_RDWR); if (truncfd < 0) { saverr = -truncfd; goto out_err;
+ show +
60
61
62
63
64
65
} } if (kill_suidgid) { res = drop_effective_cap("FSETID", &cap_fsetid_dropped); if (res != 0) {
+ show +
66
67
68
69
70
71
72
73
74
75
saverr = res; if (!fi) { close(truncfd); } goto out_err; } } res = ftruncate(truncfd, attr->st_size); saverr = res == -1 ? errno : 0;

[qemu_CVE-2021-20263_1614196585_lo_write_buf.diff] lo_write_buf_OLD.c #1
"lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu kill_priv=%d)\n", ino, out_buf.buf[0].size, (unsigned long)off, fi->kill_priv); + res = drop_security_capability(lo_data(req), out_buf.buf[0].fd); + if (res) { + fuse_reply_err(req, res); + return; + } + /* * If kill_priv is set, drop CAP_FSETID which should lead to kernel * clearing setuid/setgid on file. Note, for WRITE, we need to do
.\cloneFuncs\totalClone\Type-1\CVE-2021-20263_before_imd_1612824024_lo_write_buf.c
5
6
7
8
9
10
11
12
13
14
(void)ino; ssize_t res; struct fuse_bufvec out_buf = FUSE_BUFVEC_INIT(fuse_buf_size(in_buf)); bool cap_fsetid_dropped = false; out_buf.buf[0].flags = FUSE_BUF_IS_FD | FUSE_BUF_FD_SEEK; out_buf.buf[0].fd = lo_fi_fd(req, fi); out_buf.buf[0].pos = off; fuse_log(FUSE_LOG_DEBUG,
+ show +
15
16
17
18
19
20
"lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu kill_priv=%d)\n", ino, out_buf.buf[0].size, (unsigned long)off, fi->kill_priv); /* * If kill_priv is set, drop CAP_FSETID which should lead to kernel * clearing setuid/setgid on file. Note, for WRITE, we need to do
+ show +
21
22
23
24
25
26
27
28
29
30
* this even if killpriv_v2 is not enabled. fuse direct write path * relies on this. */ if (fi->kill_priv) { res = drop_effective_cap("FSETID", &cap_fsetid_dropped); if (res != 0) { fuse_reply_err(req, res); return; } }

[linux_CVE-2021-20288_1618389520_ceph_x_build_request.diff] ceph_x_build_request_OLD.c #1
if (ret < 0) return ret; - auth->struct_v = 2; /* nautilus+ */ + auth->struct_v = 3; /* nautilus+ */ auth->key = 0; for (u = (u64 *)enc_buf; u + 1 <= (u64 *)(enc_buf + ret); u++) auth->key ^= *(__le64 *)u;
.\cloneFuncs\totalClone\Type-1\CVE-2021-20288_before_1mo_1603728344_ceph_x_build_request.c
29
30
31
32
33
34
35
36
37
38
dout(" get_auth_session_key\n"); head->op = cpu_to_le16(CEPHX_GET_AUTH_SESSION_KEY); /* encrypt and hash */ get_random_bytes(&auth->client_challenge, sizeof(u64)); blob->client_challenge = auth->client_challenge; blob->server_challenge = cpu_to_le64(xi->server_challenge); ret = ceph_x_encrypt(&xi->secret, enc_buf, CEPHX_AU_ENC_BUF_LEN, sizeof(*blob));
+ show +
39
40
41
42
43
44
45
if (ret < 0) return ret; auth->struct_v = 2; /* nautilus+ */ auth->key = 0; for (u = (u64 *)enc_buf; u + 1 <= (u64 *)(enc_buf + ret); u++) auth->key ^= *(__le64 *)u;
+ show +
46
47
48
49
50
51
52
53
54
55
dout(" server_challenge %llx client_challenge %llx key %llx\n", xi->server_challenge, le64_to_cpu(auth->client_challenge), le64_to_cpu(auth->key)); /* now encode the old ticket if exists */ ret = ceph_x_encode_ticket(th, &p, end); if (ret < 0) return ret; /* nautilus+: request service tickets at the same time */

[linux_CVE-2021-23133_1619989902_sctp_do_bind.diff] sctp_do_bind_OLD.c #1
return -EADDRINUSE; /* Refresh ephemeral port. */ - if (!bp->port) + if (!bp->port) { bp->port = inet_sk(sk)->inet_num; + sctp_auto_asconf_init(sp); + } /* Add the address to the bind address list. * Use GFP_ATOMIC since BHs will be disabled.
.\cloneFuncs\totalClone\Type-1\CVE-2021-23133_before_1mo_1616812043_sctp_do_bind.c
48
49
50
51
52
53
54
55
56
57
*/ if (sctp_bind_addr_match(bp, addr, sp)) return -EINVAL; /* Make sure we are allowed to bind here. * The function sctp_get_port_local() does duplicate address * detection. */ addr->v4.sin_port = htons(snum); if (sctp_get_port_local(sk, addr))
+ show +
58
59
60
61
62
63
64
65
return -EADDRINUSE; /* Refresh ephemeral port. */ if (!bp->port) bp->port = inet_sk(sk)->inet_num; /* Add the address to the bind address list. * Use GFP_ATOMIC since BHs will be disabled.
+ show +
66
67
68
69
70
71
72
73
74
75
*/ ret = sctp_add_bind_addr(bp, addr, af->sockaddr_len, SCTP_ADDR_SRC, GFP_ATOMIC); if (ret) { sctp_put_port(sk); return ret; } /* Copy back into socket for getsockname() use. */ inet_sk(sk)->inet_sport = htons(inet_sk(sk)->inet_num);

[linux_CVE-2021-23133_1619989902_sctp_sock_migrate.diff] sctp_sock_migrate_OLD.c #1
return err; } + sctp_auto_asconf_init(newsp); + /* Move any messages in the old socket's receive queue that are for the * peeled off association to the new socket's receive queue. */
.\cloneFuncs\totalClone\Type-1\CVE-2021-23133_before_1mo_1616812043_sctp_sock_migrate.c
43
44
45
46
47
48
49
50
51
52
if (err) return err; /* New ep's auth_hmacs should be set if old ep's is set, in case * that net->sctp.auth_enable has been changed to 0 by users and * new ep's auth_hmacs couldn't be set in sctp_endpoint_init(). */ if (oldsp->ep->auth_hmacs) { err = sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL); if (err)
+ show +
53
54
55
56
57
58
return err; } /* Move any messages in the old socket's receive queue that are for the * peeled off association to the new socket's receive queue. */
+ show +
59
60
61
62
63
64
65
66
67
68
sctp_skb_for_each(skb, &oldsk->sk_receive_queue, tmp) { event = sctp_skb2event(skb); if (event->asoc == assoc) { __skb_unlink(skb, &oldsk->sk_receive_queue); __skb_queue_tail(&newsk->sk_receive_queue, skb); sctp_skb_set_owner_r_frag(skb, newsk); } } /* Clean up any messages pending delivery due to partial

[openssl_CVE-2021-23840_1612286243_EVP_DecryptUpdate.diff] EVP_DecryptUpdate_OLD.c #1
ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING); return 0; } + /* + * final_used is only ever set if buf_len is 0. Therefore the maximum + * length output we will ever see from evp_EncryptDecryptUpdate is + * the maximum multiple of the block length that is <= inl, or just: + * inl & ~(b - 1) + * Since final_used has been set then the final output length is: + * (inl & ~(b - 1)) + b + * This must never exceed INT_MAX + */ + if ((inl & ~(b - 1)) > INT_MAX - b) { + ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(out, ctx->final, b); out += b; fix_len = 1;
.\cloneFuncs\totalClone\Type-1\CVE-2021-23840_before_1mo_1608741036_EVP_DecryptUpdate.c
76
77
78
79
80
81
82
83
84
85
if (ctx->flags & EVP_CIPH_NO_PADDING) return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); OPENSSL_assert(b <= sizeof(ctx->final)); if (ctx->final_used) { /* see comment about PTRDIFF_T comparison above */ if (((PTRDIFF_T)out == (PTRDIFF_T)in) || is_partially_overlapping(out, in, b)) {
+ show +
86
87
88
89
90
91
ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING); return 0; } memcpy(out, ctx->final, b); out += b; fix_len = 1;
+ show +
92
93
94
95
96
97
98
99
100
101
} else fix_len = 0; if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl)) return 0; /* * if we have 'decrypted' a multiple of block size, make sure we have a * copy of this last block */

[openssl_CVE-2021-23840_1612286243_evp_EncryptDecryptUpdate.diff] evp_EncryptDecryptUpdate_OLD.c #1
return 1; } else { j = bl - i; + + /* + * Once we've processed the first j bytes from in, the amount of + * data left that is a multiple of the block length is: + * (inl - j) & ~(bl - 1) + * We must ensure that this amount of data, plus the one block that + * we process from ctx->buf does not exceed INT_MAX + */ + if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { + ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(&(ctx->buf[i]), in, j); inl -= j; in += j;
.\cloneFuncs\totalClone\Type-1\CVE-2021-23840_before_1mo_1608741036_evp_EncryptDecryptUpdate.c
42
43
44
45
46
47
48
49
50
51
return 0; } } i = ctx->buf_len; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0;
+ show +
52
53
54
55
56
57
return 1; } else { j = bl - i; memcpy(&(ctx->buf[i]), in, j); inl -= j; in += j;
+ show +
58
59
60
61
62
63
64
65
66
67
if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl)) return 0; out += bl; *outl = bl; } } else *outl = 0; i = inl & (bl - 1); inl -= i; if (inl > 0) {
.\cloneFuncs\totalClone\Type-2\CVE-2021-23840_before_6mo_1594683629_evp_EncryptDecryptUpdate.c
42
43
44
45
46
47
48
49
50
51
return 0; } } i = ctx->buf_len; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0;
+ show +
52
53
54
55
56
57
return 1; } else { j = bl - i; memcpy(&(ctx->buf[i]), in, j); inl -= j; in += j;
+ show +
58
59
60
61
62
63
64
65
66
67
if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl)) return 0; out += bl; *outl = bl; } } else *outl = 0; i = inl & (bl - 1); inl -= i; if (inl > 0) {
.\cloneFuncs\totalClone\Type-3\CVE-2016-2106_after_6mo_1485262654_EVP_EncryptUpdate.c
38
39
40
41
42
43
44
45
46
47
return 0; } } i = ctx->buf_len; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0;
+ show +
48
49
50
51
52
53
return 1; } else { j = bl - i; memcpy(&(ctx->buf[i]), in, j); inl -= j; in += j;
+ show +
54
55
56
57
58
59
60
61
62
63
if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl)) return 0; out += bl; *outl = bl; } } else *outl = 0; i = inl & (bl - 1); inl -= i; if (inl > 0) {

[linux_CVE-2021-28691_1623071595_xenvif_disconnect_queue.diff] xenvif_disconnect_queue_OLD.c #1
{ if (queue->task) { kthread_stop(queue->task); + put_task_struct(queue->task); queue->task = NULL; }
.\cloneFuncs\totalClone\Type-1\CVE-2021-28691_before_1mo_1613038572_xenvif_disconnect_queue.c
1
static void xenvif_disconnect_queue(struct xenvif_queue *queue)
+ show +
2
3
4
5
6
{ if (queue->task) { kthread_stop(queue->task); queue->task = NULL; }
+ show +
7
8
9
10
11
12
13
14
15
16
if (queue->dealloc_task) { kthread_stop(queue->dealloc_task); queue->dealloc_task = NULL; } if (queue->napi.poll) { netif_napi_del(&queue->napi); queue->napi.poll = NULL; }

[linux_CVE-2021-28691_1623071595_xenvif_connect_data.diff] xenvif_connect_data_OLD.c #1
if (IS_ERR(task)) goto kthread_err; queue->task = task; + /* + * Take a reference to the task in order to prevent it from being freed + * if the thread function returns before kthread_stop is called. + */ + get_task_struct(task); task = kthread_run(xenvif_dealloc_kthread, queue, "%s-dealloc", queue->name);
.\cloneFuncs\totalClone\Type-1\CVE-2021-28691_before_imd_1613038573_xenvif_connect_data.c
21
22
23
24
25
26
27
28
29
30
init_waitqueue_head(&queue->dealloc_wq); atomic_set(&queue->inflight_packets, 0); netif_napi_add(queue->vif->dev, &queue->napi, xenvif_poll, XENVIF_NAPI_WEIGHT); queue->stalled = true; task = kthread_run(xenvif_kthread_guest_rx, queue, "%s-guest-rx", queue->name);
+ show +
31
32
33
34
35
36
if (IS_ERR(task)) goto kthread_err; queue->task = task; task = kthread_run(xenvif_dealloc_kthread, queue, "%s-dealloc", queue->name);
+ show +
37
38
39
40
41
42
43
44
45
46
if (IS_ERR(task)) goto kthread_err; queue->dealloc_task = task; if (tx_evtchn == rx_evtchn) { /* feature-split-event-channels == 0 */ err = bind_interdomain_evtchn_to_irqhandler_lateeoi( dev, tx_evtchn, xenvif_interrupt, 0, queue->name, queue); if (err < 0)
.\cloneFuncs\totalClone\Type-3\CVE-2021-28691_before_1mo_1613038572_xenvif_connect_data.c
20
21
22
23
24
25
26
27
28
29
init_waitqueue_head(&queue->dealloc_wq); atomic_set(&queue->inflight_packets, 0); netif_napi_add(queue->vif->dev, &queue->napi, xenvif_poll, XENVIF_NAPI_WEIGHT); queue->stalled = true; task = kthread_run(xenvif_kthread_guest_rx, queue, "%s-guest-rx", queue->name);
+ show +
30
31
32
33
34
35
if (IS_ERR(task)) goto kthread_err; queue->task = task; task = kthread_run(xenvif_dealloc_kthread, queue, "%s-dealloc", queue->name);
+ show +
36
37
38
39
40
41
42
43
44
45
if (IS_ERR(task)) goto kthread_err; queue->dealloc_task = task; if (tx_evtchn == rx_evtchn) { /* feature-split-event-channels == 0 */ err = bind_interdomain_evtchn_to_irqhandler_lateeoi( queue->vif->domid, tx_evtchn, xenvif_interrupt, 0, queue->name, queue); if (err < 0)

[xen_CVE-2021-28692_1623173382_flush_command_buffer.diff] flush_command_buffer_OLD.c #1
-static void flush_command_buffer(struct amd_iommu *iommu) +static void flush_command_buffer(struct amd_iommu *iommu, + unsigned int timeout_base) { - unsigned int cmd[4], status, loop_count; - bool comp_wait; + uint32_t cmd[4]; + s_time_t start, timeout; + static unsigned int __read_mostly threshold = 1; /* RW1C 'ComWaitInt' in status register */ writel(IOMMU_STATUS_COMP_WAIT_INT,
.\cloneFuncs\totalClone\Type-1\CVE-2021-28692_before_1mo_1595845896_flush_command_buffer.c
+ show +
1
2
3
4
5
6
7
static void flush_command_buffer(struct amd_iommu *iommu) { unsigned int cmd[4], status, loop_count; bool comp_wait; /* RW1C 'ComWaitInt' in status register */ writel(IOMMU_STATUS_COMP_WAIT_INT,
+ show +
8
9
10
11
12
13
14
15
16
17
iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET); /* send an empty COMPLETION_WAIT command to flush command buffer */ cmd[3] = cmd[2] = 0; set_field_in_reg_u32(IOMMU_CMD_COMPLETION_WAIT, 0, IOMMU_CMD_OPCODE_MASK, IOMMU_CMD_OPCODE_SHIFT, &cmd[1]); set_field_in_reg_u32(IOMMU_CONTROL_ENABLED, 0, IOMMU_COMP_WAIT_I_FLAG_MASK, IOMMU_COMP_WAIT_I_FLAG_SHIFT, &cmd[0]);

[xen_CVE-2021-28694_1629893852_check_get_page_from_gfn.diff] check_get_page_from_gfn_OLD.c #1
return -EAGAIN; } #endif +#ifdef CONFIG_X86 + if ( p2mt == p2m_mmio_direct ) + { + if ( page ) + put_page(page); + + return -EPERM; + } +#endif if ( !page ) return -EINVAL;
.\cloneFuncs\totalClone\Type-1\CVE-2021-28694_before_1mo_1624545657_check_get_page_from_gfn.c
16
17
18
19
20
21
22
23
24
25
p2m_mem_paging_populate(d, gfn); return -EAGAIN; } #endif #ifdef CONFIG_MEM_SHARING if ( (q & P2M_UNSHARE) && p2m_is_shared(p2mt) ) { if ( page ) put_page(page);
+ show +
26
27
28
29
30
31
return -EAGAIN; } #endif if ( !page ) return -EINVAL;
+ show +
32
33
34
35
36
*p2mt_p = p2mt; *page_p = page; return 0; }
.\cloneFuncs\totalClone\Type-2\CVE-2021-28694_before_6mo_1593381951_check_get_page_from_gfn.c
16
17
18
19
20
21
22
23
24
25
p2m_mem_paging_populate(d, gfn); return -EAGAIN; } #endif #ifdef CONFIG_MEM_SHARING if ( (q & P2M_UNSHARE) && p2m_is_shared(p2mt) ) { if ( page ) put_page(page);
+ show +
26
27
28
29
30
31
return -EAGAIN; } #endif if ( !page ) return -EINVAL;
+ show +
32
33
34
35
36
*p2mt_p = p2mt; *page_p = page; return 0; }

[xen_CVE-2021-28694_1629893852_guest_remove_page.diff] guest_remove_page_OLD.c #1
} if ( p2mt == p2m_mmio_direct ) { - rc = clear_mmio_p2m_entry(d, gmfn, mfn, PAGE_ORDER_4K); + rc = -EPERM; goto out_put_gfn; } #else
.\cloneFuncs\totalClone\Type-1\CVE-2021-28694_before_1mo_1624545657_guest_remove_page.c
33
34
35
36
37
38
39
40
41
42
rc = guest_physmap_remove_page(d, _gfn(gmfn), mfn, 0); if ( rc ) goto out_put_gfn; put_gfn(d, gmfn); p2m_mem_paging_drop_page(d, _gfn(gmfn), p2mt); return 0;
+ show +
43
44
45
46
47
48
49
} if ( p2mt == p2m_mmio_direct ) { rc = clear_mmio_p2m_entry(d, gmfn, mfn, PAGE_ORDER_4K); goto out_put_gfn; } #else
+ show +
50
51
52
53
54
55
56
57
58
59
mfn = gfn_to_mfn(d, _gfn(gmfn)); #endif if ( unlikely(!mfn_valid(mfn)) ) { #ifdef CONFIG_X86 put_gfn(d, gmfn); #endif gdprintk(XENLOG_INFO, "Domain %u page number %lx invalid\n", d->domain_id, gmfn);
.\cloneFuncs\totalClone\Type-3\CVE-2021-28694_before_6mo_1593381951_guest_remove_page.c
31
32
33
34
35
36
37
38
39
40
rc = guest_physmap_remove_page(d, _gfn(gmfn), mfn, 0); if ( rc ) goto out_put_gfn; put_gfn(d, gmfn); p2m_mem_paging_drop_page(d, _gfn(gmfn), p2mt); return 0;
+ show +
41
42
43
44
45
46
47
} if ( p2mt == p2m_mmio_direct ) { rc = clear_mmio_p2m_entry(d, gmfn, mfn, PAGE_ORDER_4K); goto out_put_gfn; } #else
+ show +
48
49
50
51
52
53
54
55
56
57
mfn = gfn_to_mfn(d, _gfn(gmfn)); #endif if ( unlikely(!mfn_valid(mfn)) ) { #ifdef CONFIG_X86 put_gfn(d, gmfn); #endif gdprintk(XENLOG_INFO, "Domain %u page number %lx invalid\n", d->domain_id, gmfn);

[xen_CVE-2021-28696_1629893786_reassign_device.diff] reassign_device_OLD.c #1
{ struct amd_iommu *iommu; int bdf, rc; + const struct ivrs_mappings *ivrs_mappings = get_ivrs_mappings(pdev->seg); bdf = PCI_BDF2(pdev->bus, pdev->devfn); iommu = find_iommu_for_device(pdev->seg, bdf);
.\cloneFuncs\totalClone\Type-1\CVE-2021-28696_before_1mo_1625653965_reassign_device.c
1
2
static int reassign_device(struct domain *source, struct domain *target, u8 devfn, struct pci_dev *pdev)
+ show +
3
4
5
6
7
8
{ struct amd_iommu *iommu; int bdf, rc; bdf = PCI_BDF2(pdev->bus, pdev->devfn); iommu = find_iommu_for_device(pdev->seg, bdf);
+ show +
9
10
11
12
13
14
15
16
17
18
if ( !iommu ) { AMD_IOMMU_DEBUG("Fail to find iommu." " %04x:%02x:%x02.%x cannot be assigned to dom%d\n", pdev->seg, pdev->bus, PCI_SLOT(devfn), PCI_FUNC(devfn), target->domain_id); return -ENODEV; } amd_iommu_disable_domain_device(source, iommu, devfn, pdev);
.\cloneFuncs\totalClone\Type-3\CVE-2021-28696_before_6mo_1606496687_reassign_device.c
1
2
static int reassign_device(struct domain *source, struct domain *target, u8 devfn, struct pci_dev *pdev)
+ show +
3
4
5
6
7
8
{ struct amd_iommu *iommu; int bdf, rc; bdf = PCI_BDF2(pdev->bus, pdev->devfn); iommu = find_iommu_for_device(pdev->seg, bdf);
+ show +
9
10
11
12
13
14
15
16
17
18
if ( !iommu ) { AMD_IOMMU_DEBUG("Fail to find iommu." " %04x:%02x:%x02.%x cannot be assigned to dom%d\n", pdev->seg, pdev->bus, PCI_SLOT(devfn), PCI_FUNC(devfn), target->domain_id); return -ENODEV; } amd_iommu_disable_domain_device(source, iommu, devfn, pdev);

[xen_CVE-2021-28696_1629893786_reassign_device.diff] reassign_device_OLD.c #2
amd_iommu_disable_domain_device(source, iommu, devfn, pdev); - if ( devfn == pdev->devfn ) + /* + * If the device belongs to the hardware domain, and it has a unity mapping, + * don't remove it from the hardware domain, because BIOS may reference that + * mapping. + */ + if ( !is_hardware_domain(source) ) { - list_move(&pdev->domain_list, &target->pdev_list); - pdev->domain = target; + rc = amd_iommu_reserve_domain_unity_unmap( + source, + ivrs_mappings[get_dma_requestor_id(pdev->seg, bdf)].unity_map); + if ( rc ) + return rc; + } + + if ( devfn == pdev->devfn && pdev->domain != dom_io ) + { + list_move(&pdev->domain_list, &dom_io->pdev_list); + pdev->domain = dom_io; } rc = amd_iommu_setup_domain_device(target, iommu, devfn, pdev);
.\cloneFuncs\totalClone\Type-1\CVE-2021-28696_before_1mo_1625653965_reassign_device.c
8
9
10
11
12
13
14
15
16
17
iommu = find_iommu_for_device(pdev->seg, bdf); if ( !iommu ) { AMD_IOMMU_DEBUG("Fail to find iommu." " %04x:%02x:%x02.%x cannot be assigned to dom%d\n", pdev->seg, pdev->bus, PCI_SLOT(devfn), PCI_FUNC(devfn), target->domain_id); return -ENODEV; }
+ show +
18
19
20
21
22
23
24
25
26
amd_iommu_disable_domain_device(source, iommu, devfn, pdev); if ( devfn == pdev->devfn ) { list_move(&pdev->domain_list, &target->pdev_list); pdev->domain = target; } rc = amd_iommu_setup_domain_device(target, iommu, devfn, pdev);
+ show +
27
28
29
30
31
32
33
34
if ( rc ) return rc; AMD_IOMMU_DEBUG("Re-assign %pp from dom%d to dom%d\n", &pdev->sbdf, source->domain_id, target->domain_id); return 0; }

[xen_CVE-2021-28697_1629893876_xenmem_add_to_physmap_one.diff] xenmem_add_to_physmap_one_OLD.c #1
goto put_both; } + /* + * Note that we're (ab)using GFN locking (to really be locking of the + * entire P2M) here in (at least) two ways: Finer grained locking would + * expose lock order violations in the XENMAPSPACE_gmfn case (due to the + * earlier get_gfn_unshare() above). Plus at the very least for the grant + * table v2 status page case we need to guarantee that the same page can + * only appear at a single GFN. While this is a property we want in + * general, for pages which can subsequently be freed this imperative: + * Upon freeing we wouldn't be able to find other mappings in the P2M + * (unless we did a brute force search). + */ + prev_mfn = get_gfn(d, gfn_x(gpfn), &p2mt); + /* XENMAPSPACE_gmfn: Check if the MFN is associated with another GFN. */ old_gpfn = get_gpfn_from_mfn(mfn_x(mfn)); ASSERT(!SHARED_M2P(old_gpfn)); if ( space == XENMAPSPACE_gmfn && old_gpfn != gfn ) { rc = -EXDEV; - goto put_both; + goto put_all; } /* Remove previously mapped page if it was present. */ - prev_mfn = get_gfn(d, gfn_x(gpfn), &p2mt); if ( p2mt == p2m_mmio_direct ) rc = -EPERM; else if ( mfn_valid(prev_mfn) )
.\cloneFuncs\totalClone\Type-1\CVE-2021-28697_before_imd_1629893852_xenmem_add_to_physmap_one.c
43
44
45
46
47
48
49
50
51
52
break; } case XENMAPSPACE_gmfn_foreign: return p2m_add_foreign(d, idx, gfn_x(gpfn), extra.foreign_domid); } if ( mfn_eq(mfn, INVALID_MFN) ) { rc = -EINVAL;
+ show +
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
goto put_both; } /* XENMAPSPACE_gmfn: Check if the MFN is associated with another GFN. */ old_gpfn = get_gpfn_from_mfn(mfn_x(mfn)); ASSERT(!SHARED_M2P(old_gpfn)); if ( space == XENMAPSPACE_gmfn && old_gpfn != gfn ) { rc = -EXDEV; goto put_both; } /* Remove previously mapped page if it was present. */ prev_mfn = get_gfn(d, gfn_x(gpfn), &p2mt); if ( p2mt == p2m_mmio_direct ) rc = -EPERM; else if ( mfn_valid(prev_mfn) )
+ show +
70
71
72
73
74
75
76
77
78
79
{ if ( is_special_page(mfn_to_page(prev_mfn)) ) /* Special pages are simply unhooked from this phys slot. */ rc = guest_physmap_remove_page(d, gpfn, prev_mfn, PAGE_ORDER_4K); else if ( !mfn_eq(mfn, prev_mfn) ) /* Normal domain memory is freed, to avoid leaking memory. */ rc = guest_remove_page(d, gfn_x(gpfn)); } /* In the XENMAPSPACE_gmfn case we still hold a ref on the old page. */ put_gfn(d, gfn_x(gpfn));

[xen_CVE-2021-28697_1629893876_xenmem_add_to_physmap_one.diff] xenmem_add_to_physmap_one_OLD.c #2
/* Normal domain memory is freed, to avoid leaking memory. */ rc = guest_remove_page(d, gfn_x(gpfn)); } - /* In the XENMAPSPACE_gmfn case we still hold a ref on the old page. */ - put_gfn(d, gfn_x(gpfn)); - - if ( rc ) - goto put_both; /* Unmap from old location, if any. */ - if ( old_gpfn != INVALID_M2P_ENTRY ) + if ( !rc && old_gpfn != INVALID_M2P_ENTRY ) rc = guest_physmap_remove_page(d, _gfn(old_gpfn), mfn, PAGE_ORDER_4K); /* Map at new location. */ if ( !rc ) rc = guest_physmap_add_page(d, gpfn, mfn, PAGE_ORDER_4K); + put_all: + put_gfn(d, gfn_x(gpfn)); + put_both: /* * In the XENMAPSPACE_gmfn case, we took a ref of the gfn at the top.
.\cloneFuncs\totalClone\Type-1\CVE-2021-28697_before_imd_1629893852_xenmem_add_to_physmap_one.c
65
66
67
68
69
70
71
72
73
74
/* Remove previously mapped page if it was present. */ prev_mfn = get_gfn(d, gfn_x(gpfn), &p2mt); if ( p2mt == p2m_mmio_direct ) rc = -EPERM; else if ( mfn_valid(prev_mfn) ) { if ( is_special_page(mfn_to_page(prev_mfn)) ) /* Special pages are simply unhooked from this phys slot. */ rc = guest_physmap_remove_page(d, gpfn, prev_mfn, PAGE_ORDER_4K); else if ( !mfn_eq(mfn, prev_mfn) )
+ show +
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
/* Normal domain memory is freed, to avoid leaking memory. */ rc = guest_remove_page(d, gfn_x(gpfn)); } /* In the XENMAPSPACE_gmfn case we still hold a ref on the old page. */ put_gfn(d, gfn_x(gpfn)); if ( rc ) goto put_both; /* Unmap from old location, if any. */ if ( old_gpfn != INVALID_M2P_ENTRY ) rc = guest_physmap_remove_page(d, _gfn(old_gpfn), mfn, PAGE_ORDER_4K); /* Map at new location. */ if ( !rc ) rc = guest_physmap_add_page(d, gpfn, mfn, PAGE_ORDER_4K); put_both: /* * In the XENMAPSPACE_gmfn case, we took a ref of the gfn at the top.
+ show +
95
96
97
98
99
100
101
102
103
104
* We also may need to transfer ownership of the page reference to our * caller. */ if ( space == XENMAPSPACE_gmfn ) { put_gfn(d, gfn); if ( !rc && extra.ppage ) { *extra.ppage = page; page = NULL;
.\cloneFuncs\totalClone\Type-3\CVE-2021-28697_before_1mo_1624957409_xenmem_add_to_physmap_one.c
63
64
65
66
67
68
69
70
71
72
} /* Remove previously mapped page if it was present. */ prev_mfn = get_gfn(d, gfn_x(gpfn), &p2mt); if ( mfn_valid(prev_mfn) ) { if ( is_special_page(mfn_to_page(prev_mfn)) ) /* Special pages are simply unhooked from this phys slot. */ rc = guest_physmap_remove_page(d, gpfn, prev_mfn, PAGE_ORDER_4K); else if ( !mfn_eq(mfn, prev_mfn) )
+ show +
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
/* Normal domain memory is freed, to avoid leaking memory. */ rc = guest_remove_page(d, gfn_x(gpfn)); } /* In the XENMAPSPACE_gmfn case we still hold a ref on the old page. */ put_gfn(d, gfn_x(gpfn)); if ( rc ) goto put_both; /* Unmap from old location, if any. */ if ( old_gpfn != INVALID_M2P_ENTRY ) rc = guest_physmap_remove_page(d, _gfn(old_gpfn), mfn, PAGE_ORDER_4K); /* Map at new location. */ if ( !rc ) rc = guest_physmap_add_page(d, gpfn, mfn, PAGE_ORDER_4K); put_both: /* * In the XENMAPSPACE_gmfn case, we took a ref of the gfn at the top.
+ show +
93
94
95
96
97
98
99
100
101
102
* We also may need to transfer ownership of the page reference to our * caller. */ if ( space == XENMAPSPACE_gmfn ) { put_gfn(d, gfn); if ( !rc && extra.ppage ) { *extra.ppage = page; page = NULL;

[xen_CVE-2021-28698_1629893919_grant_table_init.diff] grant_table_init_OLD.c #1
gt->maptrack = vzalloc(gt->max_maptrack_frames * sizeof(*gt->maptrack)); if ( gt->maptrack == NULL ) goto out; + + radix_tree_init(>->maptrack_tree); } /* Shared grant table. */
.\cloneFuncs\totalClone\Type-1\CVE-2021-28698_before_1mo_1623665310_grant_table_init.c
36
37
38
39
40
41
42
43
44
45
/* Active grant table. */ gt->active = xzalloc_array(struct active_grant_entry *, max_nr_active_grant_frames(gt)); if ( gt->active == NULL ) goto out; /* Tracking of mapped foreign frames table */ if ( gt->max_maptrack_frames ) {
+ show +
46
47
48
49
50
51
gt->maptrack = vzalloc(gt->max_maptrack_frames * sizeof(*gt->maptrack)); if ( gt->maptrack == NULL ) goto out; } /* Shared grant table. */
+ show +
52
53
54
55
56
57
58
59
60
61
gt->shared_raw = xzalloc_array(void *, gt->max_grant_frames); if ( gt->shared_raw == NULL ) goto out; /* Status pages for grant table - for version 2 */ gt->status = xzalloc_array(grant_status_t *, grant_to_status_frames(gt->max_grant_frames)); if ( gt->status == NULL ) goto out;

[xen_CVE-2021-28698_1629893919_gnttab_release_mappings.diff] gnttab_release_mappings_OLD.c #1
for ( handle = gt->maptrack_limit; handle; ) { + mfn_t mfn; + /* * Deal with full pages such that their freeing (in the body of the * if()) remains simple.
.\cloneFuncs\totalClone\Type-1\CVE-2021-28698_before_imd_1629893898_gnttab_release_mappings.c
8
9
10
11
12
13
14
15
16
17
struct active_grant_entry *act; grant_entry_header_t *sha; uint16_t *status; struct page_info *pg; BUG_ON(!d->is_dying); if ( !gt || !gt->maptrack ) return 0;
+ show +
18
19
20
21
22
for ( handle = gt->maptrack_limit; handle; ) { /* * Deal with full pages such that their freeing (in the body of the * if()) remains simple.
+ show +
23
24
25
26
27
28
29
30
31
32
*/ if ( handle < gt->maptrack_limit && !(handle % MAPTRACK_PER_PAGE) ) { /* * Changing maptrack_limit alters nr_maptrack_frames()'es return * value. Free the then excess trailing page right here, rather * than leaving it to grant_table_destroy() (and in turn requiring * to leave gt->maptrack_limit unaltered). */ gt->maptrack_limit = handle;

[xen_CVE-2021-28700_1629893971_construct_dom0.diff] construct_dom0_OLD.c #1
iommu_hwdom_init(d); - d->max_pages = ~0U; + d->max_pages = dom0_mem >> PAGE_SHIFT; kinfo.unassigned_mem = dom0_mem; kinfo.d = d;
.\cloneFuncs\totalClone\Type-1\CVE-2021-28700_before_1mo_1619095907_construct_dom0.c
11
12
13
14
15
16
17
18
19
20
/* The ordering of operands is to work around a clang5 issue. */ if ( CONFIG_DOM0_MEM[0] && !dom0_mem_set ) parse_dom0_mem(CONFIG_DOM0_MEM); if ( dom0_mem <= 0 ) { warning_add("PLEASE SPECIFY dom0_mem PARAMETER - USING 512M FOR NOW\n"); dom0_mem = MB(512); }
+ show +
21
22
23
24
25
26
iommu_hwdom_init(d); d->max_pages = ~0U; kinfo.unassigned_mem = dom0_mem; kinfo.d = d;
+ show +
27
28
29
30
31
32
33
34
35
36
rc = kernel_probe(&kinfo, NULL); if ( rc < 0 ) return rc; #ifdef CONFIG_ARM_64 /* type must be set before allocate_memory */ d->arch.type = kinfo.type; #endif allocate_memory_11(d, &kinfo);
.\cloneFuncs\totalClone\Type-2\CVE-2021-28700_before_6mo_1610723103_construct_dom0.c
11
12
13
14
15
16
17
18
19
20
/* The ordering of operands is to work around a clang5 issue. */ if ( CONFIG_DOM0_MEM[0] && !dom0_mem_set ) parse_dom0_mem(CONFIG_DOM0_MEM); if ( dom0_mem <= 0 ) { warning_add("PLEASE SPECIFY dom0_mem PARAMETER - USING 512M FOR NOW\n"); dom0_mem = MB(512); }
+ show +
21
22
23
24
25
26
iommu_hwdom_init(d); d->max_pages = ~0U; kinfo.unassigned_mem = dom0_mem; kinfo.d = d;
+ show +
27
28
29
30
31
32
33
34
35
36
rc = kernel_probe(&kinfo, NULL); if ( rc < 0 ) return rc; #ifdef CONFIG_ARM_64 /* type must be set before allocate_memory */ d->arch.type = kinfo.type; #endif allocate_memory_11(d, &kinfo);

[xen_CVE-2021-28700_1629893971_construct_domU.diff] construct_domU_OLD.c #1
if ( vcpu_create(d, 0) == NULL ) return -ENOMEM; - d->max_pages = ~0U; + + d->max_pages = ((paddr_t)mem * SZ_1K) >> PAGE_SHIFT; kinfo.d = d;
.\cloneFuncs\totalClone\Type-1\CVE-2021-28700_before_1mo_1619095907_construct_domU.c
10
11
12
13
14
15
16
17
18
19
{ printk("Error building DomU: cannot read \"memory\" property\n"); return -EINVAL; } kinfo.unassigned_mem = (paddr_t)mem * SZ_1K; printk("*** LOADING DOMU cpus=%u memory=%"PRIx64"KB ***\n", d->max_vcpus, mem); kinfo.vpl011 = dt_property_read_bool(node, "vpl011");
+ show +
20
21
22
23
24
if ( vcpu_create(d, 0) == NULL ) return -ENOMEM; d->max_pages = ~0U; kinfo.d = d;
+ show +
25
26
27
28
29
30
31
32
33
34
rc = kernel_probe(&kinfo, node); if ( rc < 0 ) return rc; #ifdef CONFIG_ARM_64 /* type must be set before allocate memory */ d->arch.type = kinfo.type; #endif allocate_memory(d, &kinfo);

[xen_CVE-2021-28701_1631104665_gnttab_map_frame.diff] gnttab_map_frame_OLD.c #1
} if ( !rc ) - gnttab_set_frame_gfn(gt, status, idx, gfn); + { + /* + * Make sure gnttab_unpopulate_status_frames() won't (successfully) + * free the page until our caller has completed its operation. + */ + if ( get_page(mfn_to_page(*mfn), d) ) + gnttab_set_frame_gfn(gt, status, idx, gfn); + else + rc = -EBUSY; + } grant_write_unlock(gt);
.\cloneFuncs\totalClone\Type-1\CVE-2021-28701_before_1mo_1623665310_gnttab_map_frame.c
15
16
17
18
19
20
21
22
23
24
} else rc = gnttab_get_shared_frame_mfn(d, idx, mfn); if ( !rc && paging_mode_translate(d) ) { gfn_t gfn = gnttab_get_frame_gfn(gt, status, idx); if ( !gfn_eq(gfn, INVALID_GFN) ) rc = guest_physmap_remove_page(d, gfn, *mfn, 0);
+ show +
25
26
27
28
29
30
} if ( !rc ) gnttab_set_frame_gfn(gt, status, idx, gfn); grant_write_unlock(gt);
+ show +
31
32
33
return rc; }

[xen_CVE-2021-28705_1637579552_guest_physmap_add_entry.diff] guest_physmap_add_entry_OLD.c #1
/* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, mfn, page_order, t, p2m->default_access); - if ( rc == 0 ) + if ( likely(!rc) ) { - pod_lock(p2m); - p2m->pod.entry_count -= pod_count; - BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); - if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ )
.\cloneFuncs\totalClone\Type-1\CVE-2021-28705_before_1mo_1631104665_guest_physmap_add_entry.c
121
122
123
124
125
126
127
128
129
130
ASSERT(mfn_valid(omfn)); P2M_DEBUG("old gfn=%#lx -> mfn %#lx\n", gfn_x(ogfn) , mfn_x(omfn)); if ( mfn_eq(omfn, mfn_add(mfn, i)) && (rc = p2m_remove_page(p2m, ogfn, omfn, 0)) ) goto out; } } }
+ show +
131
132
133
134
135
136
137
138
139
140
141
142
/* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, mfn, page_order, t, p2m->default_access); if ( rc == 0 ) { pod_lock(p2m); p2m->pod.entry_count -= pod_count; BUG_ON(p2m->pod.entry_count < 0); pod_unlock(p2m); if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ )
+ show +
143
144
145
146
147
148
149
150
151
152
set_gpfn_from_mfn(mfn_x(mfn_add(mfn, i)), gfn_x(gfn_add(gfn, i))); } } out: p2m_unlock(p2m); return rc; }
.\cloneFuncs\totalClone\Type-3\CVE-2021-28705_before_6mo_1620198450_guest_physmap_add_entry.c
117
118
119
120
121
122
123
124
125
126
ASSERT(mfn_valid(omfn)); P2M_DEBUG("old gfn=%#lx -> mfn %#lx\n", gfn_x(ogfn) , mfn_x(omfn)); if ( mfn_eq(omfn, mfn_add(mfn, i)) && (rc = p2m_remove_page(p2m, ogfn, omfn, 0)) ) goto out; } } }
+ show +
127
128
129
130
131
132
133
134
135
136
137
138
/* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, mfn, page_order, t, p2m->default_access); if ( rc == 0 ) { pod_lock(p2m); p2m->pod.entry_count -= pod_count; BUG_ON(p2m->pod.entry_count < 0); pod_unlock(p2m); if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ )
+ show +
139
140
141
142
143
144
145
146
147
148
set_gpfn_from_mfn(mfn_x(mfn_add(mfn, i)), gfn_x(gfn_add(gfn, i))); } } out: p2m_unlock(p2m); return rc; }

[xen_CVE-2021-28705_1637579552_p2m_remove_page.diff] p2m_remove_page_OLD.c #1
unsigned long i; p2m_type_t t; p2m_access_t a; + int rc; ASSERT(gfn_locked_by_me(p2m, gfn)); P2M_DEBUG("removing gfn=%#lx mfn=%#lx\n", gfn_x(gfn), mfn_x(mfn));
.\cloneFuncs\totalClone\Type-1\CVE-2021-28705_before_1mo_1631104665_p2m_remove_page.c
1
2
3
4
static int __must_check p2m_remove_page(struct p2m_domain *p2m, gfn_t gfn, mfn_t mfn, unsigned int page_order) {
+ show +
5
6
7
8
9
10
unsigned long i; p2m_type_t t; p2m_access_t a; ASSERT(gfn_locked_by_me(p2m, gfn)); P2M_DEBUG("removing gfn=%#lx mfn=%#lx\n", gfn_x(gfn), mfn_x(mfn));
+ show +
11
12
13
14
15
16
17
18
19
20
for ( i = 0; i < (1UL << page_order); ) { unsigned int cur_order; mfn_t mfn_return = p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, &cur_order, NULL); if ( p2m_is_valid(t) && (!mfn_valid(mfn) || t == p2m_mmio_direct || !mfn_eq(mfn_add(mfn, i), mfn_return)) )
.\cloneFuncs\totalClone\Type-3\CVE-2021-28705_before_6mo_1620198450_p2m_remove_page.c
1
2
3
4
static int __must_check p2m_remove_page(struct p2m_domain *p2m, gfn_t gfn, mfn_t mfn, unsigned int page_order) {
+ show +
5
6
7
8
9
10
unsigned long i; p2m_type_t t; p2m_access_t a; ASSERT(gfn_locked_by_me(p2m, gfn)); P2M_DEBUG("removing gfn=%#lx mfn=%#lx\n", gfn_x(gfn), mfn_x(mfn));
+ show +
11
12
13
14
15
16
17
18
19
20
for ( i = 0; i < (1UL << page_order); ) { unsigned int cur_order; mfn_t mfn_return = p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, &cur_order, NULL); if ( p2m_is_valid(t) && (!mfn_valid(mfn) || !mfn_eq(mfn_add(mfn, i), mfn_return)) ) return -EILSEQ;

[xen_CVE-2021-28705_1637579552_set_typed_p2m_entry.diff] set_typed_p2m_entry_OLD.c #1
return 0; } } + + P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn)); + rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access); + if ( unlikely(rc) ) + { + gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n", + gfn_l, order, rc, mfn_x(mfn)); + + /* + * The operation may have partially succeeded. For the successful part + * we need to update PoD stats, M2P, and dirty state. + */ + if ( order != PAGE_ORDER_4K ) + { + unsigned long i; + + for ( i = 0; i < (1UL << order); ++i ) + { + p2m_type_t t; + mfn_t cmfn = p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, + NULL, NULL); + + if ( !mfn_eq(cmfn, mfn_add(mfn, i)) || t != gfn_p2mt || + a != access ) + continue; + + if ( p2m_is_ram(ot) ) + { + ASSERT(mfn_valid(mfn_add(omfn, i))); + set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY); + + ioreq_request_mapcache_invalidate(d); + } + else if ( p2m_is_pod(ot) ) + { + pod_lock(p2m); + BUG_ON(!p2m->pod.entry_count); + --p2m->pod.entry_count; + pod_unlock(p2m); + } + } + } + } else if ( p2m_is_ram(ot) ) { unsigned long i;
.\cloneFuncs\totalClone\Type-1\CVE-2021-28705_before_1mo_1631104665_set_typed_p2m_entry.c
34
35
36
37
38
39
40
41
42
43
d, gfn_l, mfn_x(omfn), cur_order, ot, a, mfn_x(mfn), order, gfn_p2mt, access); domain_crash(d); return -EPERM; } if ( access == a ) { gfn_unlock(p2m, gfn, order);
+ show +
44
45
46
47
48
49
return 0; } } else if ( p2m_is_ram(ot) ) { unsigned long i;
+ show +
50
51
52
53
54
55
56
57
58
59
for ( i = 0; i < (1UL << order); ++i ) { ASSERT(mfn_valid(mfn_add(omfn, i))); set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY); } ioreq_request_mapcache_invalidate(d); }

[xen_CVE-2021-28710_1637331248_domain_pgd_maddr.diff] domain_pgd_maddr_OLD.c #1
{ pagetable_t pgt = p2m_get_pagetable(p2m_get_hostp2m(d)); - return pagetable_get_paddr(pgt); + pgd_maddr = pagetable_get_paddr(pgt); } - - if ( !hd->arch.vtd.pgd_maddr ) + else { - /* Ensure we have pagetables allocated down to leaf PTE. */ - addr_to_dma_page_maddr(d, 0, 1); - if ( !hd->arch.vtd.pgd_maddr ) - return 0; - } + { + /* Ensure we have pagetables allocated down to leaf PTE. */ + addr_to_dma_page_maddr(d, 0, 1); - pgd_maddr = hd->arch.vtd.pgd_maddr; + if ( !hd->arch.vtd.pgd_maddr ) + return 0; + } + + pgd_maddr = hd->arch.vtd.pgd_maddr; + } /* Skip top levels of page tables for 2- and 3-level DRHDs. */ for ( agaw = level_to_agaw(4);
.\cloneFuncs\totalClone\Type-1\CVE-2021-28710_before_1mo_1634032628_domain_pgd_maddr.c
1
2
3
4
5
6
7
8
9
static uint64_t domain_pgd_maddr(struct domain *d, unsigned int nr_pt_levels) { struct domain_iommu *hd = dom_iommu(d); uint64_t pgd_maddr; unsigned int agaw; ASSERT(spin_is_locked(&hd->arch.mapping_lock)); if ( iommu_use_hap_pt(d) )
+ show +
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
{ pagetable_t pgt = p2m_get_pagetable(p2m_get_hostp2m(d)); return pagetable_get_paddr(pgt); } if ( !hd->arch.vtd.pgd_maddr ) { /* Ensure we have pagetables allocated down to leaf PTE. */ addr_to_dma_page_maddr(d, 0, 1); if ( !hd->arch.vtd.pgd_maddr ) return 0; } pgd_maddr = hd->arch.vtd.pgd_maddr; /* Skip top levels of page tables for 2- and 3-level DRHDs. */ for ( agaw = level_to_agaw(4);
+ show +
29
30
31
32
33
34
35
36
37
38
agaw != level_to_agaw(nr_pt_levels); agaw-- ) { const struct dma_pte *p = map_vtd_domain_page(pgd_maddr); pgd_maddr = dma_pte_addr(*p); unmap_vtd_domain_page(p); if ( !pgd_maddr ) return 0; }

[linux_CVE-2021-29657_1617186283_enter_svm_guest_mode.diff] enter_svm_guest_mode_OLD.c #1
int ret; svm->nested.vmcb12_gpa = vmcb12_gpa; - load_nested_vmcb_control(svm, &vmcb12->control); nested_prepare_vmcb_save(svm, vmcb12); nested_prepare_vmcb_control(svm);
.\cloneFuncs\totalClone\Type-1\CVE-2021-29657_before_1mo_1600774994_enter_svm_guest_mode.c
1
2
3
int enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb12_gpa, struct vmcb *vmcb12) {
+ show +
4
5
6
7
8
9
int ret; svm->nested.vmcb12_gpa = vmcb12_gpa; load_nested_vmcb_control(svm, &vmcb12->control); nested_prepare_vmcb_save(svm, vmcb12); nested_prepare_vmcb_control(svm);
+ show +
10
11
12
13
14
15
16
17
18
19
ret = nested_svm_load_cr3(&svm->vcpu, vmcb12->save.cr3, nested_npt_enabled(svm)); if (ret) return ret; svm_set_gif(svm, true); return 0; }

[linux_CVE-2021-29657_1617186283_nested_svm_vmrun.diff] nested_svm_vmrun_OLD.c #1
if (WARN_ON_ONCE(!svm->nested.initialized)) return -EINVAL; - if (!nested_vmcb_checks(svm, vmcb12)) { + load_nested_vmcb_control(svm, &vmcb12->control); + + if (!nested_vmcb_check_save(svm, vmcb12) || + !nested_vmcb_check_controls(&svm->nested.ctl)) { vmcb12->control.exit_code = SVM_EXIT_ERR; vmcb12->control.exit_code_hi = 0; vmcb12->control.exit_info_1 = 0;
.\cloneFuncs\totalClone\Type-1\CVE-2021-29657_before_imd_1601551794_nested_svm_vmrun.c
18
19
20
21
22
23
24
25
26
27
kvm_inject_gp(&svm->vcpu, 0); return 1; } else if (ret) { return kvm_skip_emulated_instruction(&svm->vcpu); } ret = kvm_skip_emulated_instruction(&svm->vcpu); vmcb12 = map.hva;
+ show +
28
29
30
31
32
33
34
if (WARN_ON_ONCE(!svm->nested.initialized)) return -EINVAL; if (!nested_vmcb_checks(svm, vmcb12)) { vmcb12->control.exit_code = SVM_EXIT_ERR; vmcb12->control.exit_code_hi = 0; vmcb12->control.exit_info_1 = 0;
+ show +
35
36
37
38
39
40
41
42
43
44
vmcb12->control.exit_info_2 = 0; goto out; } trace_kvm_nested_vmrun(svm->vmcb->save.rip, vmcb12_gpa, vmcb12->save.rip, vmcb12->control.int_ctl, vmcb12->control.event_inj, vmcb12->control.nested_ctl);

[qemu_CVE-2021-3392_1618839767_mptsas_process_scsi_io_request.diff] mptsas_process_scsi_io_request_OLD.c #1
} req = g_new0(MPTSASRequest, 1); - QTAILQ_INSERT_TAIL(&s->pending, req, next); req->scsi_io = *scsi_io; req->dev = s;
.\cloneFuncs\totalClone\Type-1\CVE-2021-3392_before_1mo_1603457064_mptsas_process_scsi_io_request.c
9
10
11
12
13
14
15
16
17
18
mptsas_fix_scsi_io_endianness(scsi_io); trace_mptsas_process_scsi_io_request(s, scsi_io->Bus, scsi_io->TargetID, scsi_io->LUN[1], scsi_io->DataLength); status = mptsas_scsi_device_find(s, scsi_io->Bus, scsi_io->TargetID, scsi_io->LUN, &sdev); if (status) { goto bad;
+ show +
19
20
21
22
23
24
} req = g_new0(MPTSASRequest, 1); QTAILQ_INSERT_TAIL(&s->pending, req, next); req->scsi_io = *scsi_io; req->dev = s;
+ show +
25
26
27
28
29
30
31
32
33
34
status = mptsas_build_sgl(s, req, addr); if (status) { goto free_bad; } if (req->qsg.size < scsi_io->DataLength) { trace_mptsas_sgl_overflow(s, scsi_io->MsgContext, scsi_io->DataLength, req->qsg.size); status = MPI_IOCSTATUS_INVALID_SGL;

[qemu_CVE-2021-3416_1614627330_do_tx_packet.diff] do_tx_packet_OLD.c #1
/* FIXME: Honor TX disable, and allow queueing of packets. */ if (s->phy_control & 0x4000) { /* This assumes the receive routine doesn't touch the VLANClient. */ - lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); } else { qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); }
.\cloneFuncs\totalClone\Type-1\CVE-2021-3416_before_1mo_1610129040_do_tx_packet.c
1
2
3
4
5
static void do_tx_packet(lan9118_state *s) { int n; uint32_t status;
+ show +
6
7
8
9
10
11
12
/* FIXME: Honor TX disable, and allow queueing of packets. */ if (s->phy_control & 0x4000) { /* This assumes the receive routine doesn't touch the VLANClient. */ lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); } else { qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); }
+ show +
13
14
15
16
17
18
19
20
21
22
s->txp->fifo_used = 0; if (s->tx_status_fifo_used == 512) { /* Status FIFO full */ return; } /* Add entry to status FIFO. */ status = s->txp->cmd_b & 0xffff0000u; DPRINTF("Sent packet tag:%04x len %d\n", status >> 16, s->txp->len); n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;

[linux_CVE-2021-3491_1620218826_io_add_buffers.diff] io_add_buffers_OLD.c #1
break; buf->addr = addr; - buf->len = pbuf->len; + buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT); buf->bid = bid; addr += pbuf->len; bid++;
.\cloneFuncs\totalClone\Type-1\CVE-2021-3491_before_1mo_1617414334_io_add_buffers.c
1
2
3
4
5
6
7
8
9
static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head) { struct io_buffer *buf; u64 addr = pbuf->addr; int i, bid = pbuf->bid; for (i = 0; i < pbuf->nbufs; i++) { buf = kmalloc(sizeof(*buf), GFP_KERNEL); if (!buf)
+ show +
10
11
12
13
14
15
16
break; buf->addr = addr; buf->len = pbuf->len; buf->bid = bid; addr += pbuf->len; bid++;
+ show +
17
18
19
20
21
22
23
24
25
26
if (!*head) { INIT_LIST_HEAD(&buf->list); *head = buf; } else { list_add_tail(&buf->list, &(*head)->list); } } return i ? i : -ENOMEM; }

[qemu_CVE-2021-3527_1620048555_usb_ep_combine_input_packets.diff] usb_ep_combine_input_packets_OLD.c #1
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || next == NULL || /* Work around for Linux usbfs bulk splitting + migration */ - (totalsize == (16 * KiB - 36) && p->int_req)) { + (totalsize == (16 * KiB - 36) && p->int_req) || + /* Next package may grow combined package over 1MiB */ + totalsize > 1 * MiB - ep->max_packet_size) { usb_device_handle_data(ep->dev, first); assert(first->status == USB_RET_ASYNC); if (first->combined) {
.\cloneFuncs\totalClone\Type-1\CVE-2021-3527_before_1mo_1548254454_usb_ep_combine_input_packets.c
40
41
42
43
44
45
46
47
48
49
qemu_iovec_init(&combined->iov, 2); usb_combined_packet_add(combined, first); } usb_combined_packet_add(first->combined, p); } else { first = p; } /* Is this packet the last one of a (combined) transfer? */ totalsize = (p->combined) ? p->combined->iov.size : p->iov.size;
+ show +
50
51
52
53
54
55
56
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || next == NULL || /* Work around for Linux usbfs bulk splitting + migration */ (totalsize == (16 * KiB - 36) && p->int_req)) { usb_device_handle_data(ep->dev, first); assert(first->status == USB_RET_ASYNC); if (first->combined) {
+ show +
57
58
59
60
61
62
63
64
65
66
QTAILQ_FOREACH(u, &first->combined->packets, combined_entry) { usb_packet_set_state(u, USB_PACKET_ASYNC); } } else { usb_packet_set_state(first, USB_PACKET_ASYNC); } first = NULL; prev = p; } }

[qemu_CVE-2021-3545_1621134236_virgl_cmd_get_capset_info.diff] virgl_cmd_get_capset_info_OLD.c #1
VUGPU_FILL_CMD(info); + memset(&resp, 0, sizeof(resp)); if (info.capset_index == 0) { resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; virgl_renderer_get_cap_set(resp.capset_id,
.\cloneFuncs\totalClone\Type-1\CVE-2021-3545_before_1mo_1612435935_virgl_cmd_get_capset_info.c
1
2
3
4
5
6
7
static void virgl_cmd_get_capset_info(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) { struct virtio_gpu_get_capset_info info; struct virtio_gpu_resp_capset_info resp;
+ show +
8
9
10
11
12
VUGPU_FILL_CMD(info); if (info.capset_index == 0) { resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; virgl_renderer_get_cap_set(resp.capset_id,
+ show +
13
14
15
16
17
18
19
20
21
22
&resp.capset_max_version, &resp.capset_max_size); } else if (info.capset_index == 1) { resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL2; virgl_renderer_get_cap_set(resp.capset_id, &resp.capset_max_version, &resp.capset_max_size); } else { resp.capset_max_version = 0; resp.capset_max_size = 0;

[qemu_CVE-2021-3546_1621134242_virgl_cmd_get_capset.diff] virgl_cmd_get_capset_OLD.c #1
virgl_renderer_get_cap_set(gc.capset_id, &max_ver, &max_size); + if (!max_size) { + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; + return; + } resp = g_malloc0(sizeof(*resp) + max_size); resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
.\cloneFuncs\totalClone\Type-1\CVE-2021-3546_before_1mo_1615543243_virgl_cmd_get_capset.c
1
2
3
4
5
6
7
8
9
10
static void virgl_cmd_get_capset(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) { struct virtio_gpu_get_capset gc; struct virtio_gpu_resp_capset *resp; uint32_t max_ver, max_size; VUGPU_FILL_CMD(gc);
+ show +
11
12
13
14
15
virgl_renderer_get_cap_set(gc.capset_id, &max_ver, &max_size); resp = g_malloc0(sizeof(*resp) + max_size); resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ show +
16
17
18
19
20
21
virgl_renderer_fill_caps(gc.capset_id, gc.capset_version, (void *)resp->capset_data); vg_ctrl_response(g, cmd, &resp->hdr, sizeof(*resp) + max_size); g_free(resp); }

[linux_CVE-2021-3640_1630167498_sco_send_frame.diff] sco_send_frame_OLD.c #1
-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) +static int sco_send_frame(struct sock *sk, void *buf, int len, + unsigned int msg_flags) { struct sco_conn *conn = sco_pi(sk)->conn; struct sk_buff *skb;
.\cloneFuncs\totalClone\Type-1\CVE-2021-3640_before_1mo_1624633209_sco_send_frame.c
+ show +
1
2
3
4
static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) { struct sco_conn *conn = sco_pi(sk)->conn; struct sk_buff *skb;
+ show +
5
6
7
8
9
10
11
12
13
14
int err; /* Check outgoing MTU */ if (len > conn->mtu) return -EINVAL; BT_DBG("sk %p len %d", sk, len); skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); if (!skb)

[linux_CVE-2021-3640_1630167498_sco_sock_sendmsg.diff] sco_sock_sendmsg_OLD.c #1
size_t len) { struct sock *sk = sock->sk; + void *buf; int err; BT_DBG("sock %p, sk %p", sock, sk);
.\cloneFuncs\totalClone\Type-1\CVE-2021-3640_before_1mo_1624633209_sco_sock_sendmsg.c
1
static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
+ show +
2
3
4
5
6
7
size_t len) { struct sock *sk = sock->sk; int err; BT_DBG("sock %p, sk %p", sock, sk);
+ show +
8
9
10
11
12
13
14
15
16
17
err = sock_error(sk); if (err) return err; if (msg->msg_flags & MSG_OOB) return -EOPNOTSUPP; lock_sock(sk);

[linux_CVE-2021-3653_1631634496_nested_vmcb02_prepare_control.diff] nested_vmcb02_prepare_control_OLD.c #1
(svm->nested.ctl.int_ctl & int_ctl_vmcb12_bits) | (svm->vmcb01.ptr->control.int_ctl & int_ctl_vmcb01_bits); - svm->vmcb->control.virt_ext = svm->nested.ctl.virt_ext; svm->vmcb->control.int_vector = svm->nested.ctl.int_vector; svm->vmcb->control.int_state = svm->nested.ctl.int_state; svm->vmcb->control.event_inj = svm->nested.ctl.event_inj;
.\cloneFuncs\totalClone\Type-1\CVE-2021-3653_before_imd_1631542191_nested_vmcb02_prepare_control.c
29
30
31
32
33
34
35
36
37
38
svm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING; /* nested_cr3. */ if (nested_npt_enabled(svm)) nested_svm_init_mmu_context(vcpu); svm->vmcb->control.tsc_offset = vcpu->arch.tsc_offset = vcpu->arch.l1_tsc_offset + svm->nested.ctl.tsc_offset; svm->vmcb->control.int_ctl =
+ show +
39
40
41
42
43
44
45
(svm->nested.ctl.int_ctl & int_ctl_vmcb12_bits) | (svm->vmcb01.ptr->control.int_ctl & int_ctl_vmcb01_bits); svm->vmcb->control.virt_ext = svm->nested.ctl.virt_ext; svm->vmcb->control.int_vector = svm->nested.ctl.int_vector; svm->vmcb->control.int_state = svm->nested.ctl.int_state; svm->vmcb->control.event_inj = svm->nested.ctl.event_inj;
+ show +
46
47
48
49
50
51
52
53
54
55
svm->vmcb->control.event_inj_err = svm->nested.ctl.event_inj_err; svm->vmcb->control.pause_filter_count = svm->nested.ctl.pause_filter_count; svm->vmcb->control.pause_filter_thresh = svm->nested.ctl.pause_filter_thresh; nested_svm_transition_tlb_flush(vcpu); /* Enter Guest-Mode */ enter_guest_mode(vcpu);

[openssl_CVE-2021-3711_1628860491_test_sm2_crypt.diff] test_sm2_crypt_OLD.c #1
if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len)) goto done; - if (!TEST_true(ossl_sm2_plaintext_size(key, digest, ctext_len, &ptext_len)) + if (!TEST_true(ossl_sm2_plaintext_size(ctext, ctext_len, &ptext_len)) || !TEST_int_eq(ptext_len, msg_len)) goto done;
.\cloneFuncs\totalClone\Type-1\CVE-2021-3711_before_1mo_1615234490_test_sm2_crypt.c
40
41
42
43
44
45
46
47
48
49
start_fake_rand(k_hex); if (!TEST_true(ossl_sm2_encrypt(key, digest, (const uint8_t *)message, msg_len, ctext, &ctext_len))) { restore_rand(); goto done; } restore_rand();
+ show +
50
51
52
53
54
55
if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len)) goto done; if (!TEST_true(ossl_sm2_plaintext_size(key, digest, ctext_len, &ptext_len)) || !TEST_int_eq(ptext_len, msg_len)) goto done;
+ show +
56
57
58
59
60
61
62
63
64
65
recovered = OPENSSL_zalloc(ptext_len); if (!TEST_ptr(recovered) || !TEST_true(ossl_sm2_decrypt(key, digest, ctext, ctext_len, recovered, &recovered_len)) || !TEST_int_eq(recovered_len, msg_len) || !TEST_mem_eq(recovered, recovered_len, message, msg_len)) goto done; rc = 1;

[openssl_CVE-2021-3712_1629372257_EC_GROUP_new_from_ecparameters.diff] EC_GROUP_new_from_ecparameters_OLD.c #1
if (params->order == NULL || params->base == NULL - || params->base->data == NULL) { + || params->base->data == NULL + || params->base->length == 0) { ERR_raise(ERR_LIB_EC, EC_R_ASN1_ERROR); goto err; }
.\cloneFuncs\totalClone\Type-1\CVE-2021-3712_before_1mo_1615247953_EC_GROUP_new_from_ecparameters.c
169
170
171
172
173
174
175
176
177
178
OPENSSL_free(ret->seed); if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; } memcpy(ret->seed, params->curve->seed->data, params->curve->seed->length); ret->seed_len = params->curve->seed->length; }
+ show +
179
180
181
182
183
184
if (params->order == NULL || params->base == NULL || params->base->data == NULL) { ERR_raise(ERR_LIB_EC, EC_R_ASN1_ERROR); goto err; }
+ show +
185
186
187
188
189
190
191
192
193
194
if ((point = EC_POINT_new(ret)) == NULL) goto err; /* set the point conversion form */ EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t) (params->base->data[0] & ~0x01)); /* extract the ec point */ if (!EC_POINT_oct2point(ret, point, params->base->data,
.\cloneFuncs\totalClone\Type-2\CVE-2021-3712_before_6mo_1604488999_EC_GROUP_new_from_ecparameters.c
169
170
171
172
173
174
175
176
177
178
OPENSSL_free(ret->seed); if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; } memcpy(ret->seed, params->curve->seed->data, params->curve->seed->length); ret->seed_len = params->curve->seed->length; }
+ show +
179
180
181
182
183
184
if (params->order == NULL || params->base == NULL || params->base->data == NULL) { ERR_raise(ERR_LIB_EC, EC_R_ASN1_ERROR); goto err; }
+ show +
185
186
187
188
189
190
191
192
193
194
if ((point = EC_POINT_new(ret)) == NULL) goto err; /* set the point conversion form */ EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t) (params->base->data[0] & ~0x01)); /* extract the ec point */ if (!EC_POINT_oct2point(ret, point, params->base->data,

[qemu_CVE-2021-3713_1629288305_usb_uas_handle_data.diff] usb_uas_handle_data_OLD.c #3
p->status = USB_RET_STALL; break; } + +err_stream: + error_report("%s: invalid stream %d", __func__, p->stream); + p->status = USB_RET_STALL; + return; }
.\cloneFuncs\totalClone\Type-1\CVE-2021-3713_after_1mo_1633033014_usb_uas_handle_data.c
65
66
67
68
69
70
71
72
73
74
? uas->datain2 : uas->dataout2; } if (req == NULL) { if (p->stream) { assert(uas->data3[p->stream] == NULL); uas->data3[p->stream] = p; p->status = USB_RET_ASYNC; break; } else { error_report("%s: no inflight request", __func__);
+ show +
75
76
77
78
p->status = USB_RET_STALL; break; } }
+ show +
79
80
81
82
83
84
85
86
87
88
scsi_req_ref(req->req); req->data = p; usb_uas_copy_data(req); if (p->actual_length == p->iov.size || req->complete) { req->data = NULL; } else { req->data_async = true; p->status = USB_RET_ASYNC; } scsi_req_unref(req->req);
.\cloneFuncs\totalClone\Type-1\CVE-2021-3713_before_1mo_1605552036_usb_uas_handle_data.c
59
60
61
62
63
64
65
66
67
68
? uas->datain2 : uas->dataout2; } if (req == NULL) { if (p->stream) { assert(uas->data3[p->stream] == NULL); uas->data3[p->stream] = p; p->status = USB_RET_ASYNC; break; } else { error_report("%s: no inflight request", __func__);
+ show +
69
70
71
72
p->status = USB_RET_STALL; break; } }
+ show +
73
74
75
76
77
78
79
80
81
82
scsi_req_ref(req->req); req->data = p; usb_uas_copy_data(req); if (p->actual_length == p->iov.size || req->complete) { req->data = NULL; } else { req->data_async = true; p->status = USB_RET_ASYNC; } scsi_req_unref(req->req);

[qemu_CVE-2021-3713_1629288305_usb_uas_handle_data.diff] usb_uas_handle_data_OLD.c #1
} break; case UAS_PIPE_ID_STATUS: + if (p->stream > UAS_MAX_STREAMS) { + goto err_stream; + } if (p->stream) { QTAILQ_FOREACH(st, &uas->results, next) { if (st->stream == p->stream) {
.\cloneFuncs\totalClone\Type-1\CVE-2021-3713_before_1mo_1605552036_usb_uas_handle_data.c
15
16
17
18
19
20
21
22
23
24
usb_uas_command(uas, &iu); break; case UAS_UI_TASK_MGMT: usb_uas_task(uas, &iu); break; default: error_report("%s: unknown command iu: id 0x%x", __func__, iu.hdr.id); p->status = USB_RET_STALL; break;
+ show +
25
26
27
28
29
30
} break; case UAS_PIPE_ID_STATUS: if (p->stream) { QTAILQ_FOREACH(st, &uas->results, next) { if (st->stream == p->stream) {
+ show +
31
32
33
34
35
36
37
38
39
40
break; } } if (st == NULL) { assert(uas->status3[p->stream] == NULL); uas->status3[p->stream] = p; p->status = USB_RET_ASYNC; break; } } else {

[qemu_CVE-2021-3713_1629288305_usb_uas_handle_data.diff] usb_uas_handle_data_OLD.c #2
break; case UAS_PIPE_ID_DATA_IN: case UAS_PIPE_ID_DATA_OUT: + if (p->stream > UAS_MAX_STREAMS) { + goto err_stream; + } if (p->stream) { req = usb_uas_find_request(uas, p->stream); } else {
.\cloneFuncs\totalClone\Type-1\CVE-2021-3713_before_1mo_1605552036_usb_uas_handle_data.c
42
43
44
45
46
47
48
49
50
51
if (st == NULL) { assert(uas->status2 == NULL); uas->status2 = p; p->status = USB_RET_ASYNC; break; } } usb_packet_copy(p, &st->status, st->length); QTAILQ_REMOVE(&uas->results, st, next); g_free(st);
+ show +
52
53
54
55
56
57
break; case UAS_PIPE_ID_DATA_IN: case UAS_PIPE_ID_DATA_OUT: if (p->stream) { req = usb_uas_find_request(uas, p->stream); } else {
+ show +
58
59
60
61
62
63
64
65
66
67
req = (p->ep->nr == UAS_PIPE_ID_DATA_IN) ? uas->datain2 : uas->dataout2; } if (req == NULL) { if (p->stream) { assert(uas->data3[p->stream] == NULL); uas->data3[p->stream] = p; p->status = USB_RET_ASYNC; break; } else {

[qemu_CVE-2021-3748_1630561452_virtio_net_receive_rcu.diff] virtio_net_receive_rcu_OLD.c #1
VirtIONet *n = qemu_get_nic_opaque(nc); VirtIONetQueue *q = virtio_net_get_subqueue(nc); VirtIODevice *vdev = VIRTIO_DEVICE(n); + VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; + size_t lens[VIRTQUEUE_MAX_SIZE]; struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; struct virtio_net_hdr_mrg_rxbuf mhdr; unsigned mhdr_cnt = 0; - size_t offset, i, guest_offset; + size_t offset, i, guest_offset, j; + ssize_t err; if (!virtio_net_can_receive(nc)) { return -1;
.\cloneFuncs\totalClone\Type-1\CVE-2021-3748_before_1mo_1622810328_virtio_net_receive_rcu.c
1
2
3
static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, size_t size, bool no_rss) {
+ show +
4
5
6
7
8
9
10
11
12
13
VirtIONet *n = qemu_get_nic_opaque(nc); VirtIONetQueue *q = virtio_net_get_subqueue(nc); VirtIODevice *vdev = VIRTIO_DEVICE(n); struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; struct virtio_net_hdr_mrg_rxbuf mhdr; unsigned mhdr_cnt = 0; size_t offset, i, guest_offset; if (!virtio_net_can_receive(nc)) { return -1;
+ show +
14
15
16
17
18
19
20
21
22
23
} if (!no_rss && n->rss_data.enabled && n->rss_data.enabled_software_rss) { int index = virtio_net_process_rss(nc, buf, size); if (index >= 0) { NetClientState *nc2 = qemu_get_subqueue(n->nic, index); return virtio_net_receive_rcu(nc2, buf, size, true); } }
.\cloneFuncs\totalClone\Type-2\CVE-2021-3748_before_6mo_1614272106_virtio_net_receive_rcu.c
1
2
3
static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, size_t size, bool no_rss) {
+ show +
4
5
6
7
8
9
10
11
12
13
VirtIONet *n = qemu_get_nic_opaque(nc); VirtIONetQueue *q = virtio_net_get_subqueue(nc); VirtIODevice *vdev = VIRTIO_DEVICE(n); struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; struct virtio_net_hdr_mrg_rxbuf mhdr; unsigned mhdr_cnt = 0; size_t offset, i, guest_offset; if (!virtio_net_can_receive(nc)) { return -1;
+ show +
14
15
16
17
18
19
20
21
22
23
} if (!no_rss && n->rss_data.enabled) { int index = virtio_net_process_rss(nc, buf, size); if (index >= 0) { NetClientState *nc2 = qemu_get_subqueue(n->nic, index); return virtio_net_receive_rcu(nc2, buf, size, true); } }

[qemu_CVE-2021-3748_1630561452_virtio_net_receive_rcu.diff] virtio_net_receive_rcu_OLD.c #2
total = 0; + if (i == VIRTQUEUE_MAX_SIZE) { + virtio_error(vdev, "virtio-net unexpected long buffer chain"); + err = size; + goto err; + } + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); if (!elem) { if (i) {
.\cloneFuncs\totalClone\Type-1\CVE-2021-3748_before_1mo_1622810328_virtio_net_receive_rcu.c
29
30
31
32
33
34
35
36
37
38
if (!receive_filter(n, buf, size)) return size; offset = i = 0; while (offset < size) { VirtQueueElement *elem; int len, total; const struct iovec *sg;
+ show +
39
40
41
42
43
total = 0; elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); if (!elem) { if (i) {
+ show +
44
45
46
47
48
49
50
51
52
53
virtio_error(vdev, "virtio-net unexpected empty queue: " "i %zd mergeable %d offset %zd, size %zd, " "guest hdr len %zd, host hdr len %zd " "guest features 0x%" PRIx64, i, n->mergeable_rx_bufs, offset, size, n->guest_hdr_len, n->host_hdr_len, vdev->guest_features); } return -1; }
.\cloneFuncs\totalClone\Type-2\CVE-2021-3748_before_6mo_1614272106_virtio_net_receive_rcu.c
29
30
31
32
33
34
35
36
37
38
if (!receive_filter(n, buf, size)) return size; offset = i = 0; while (offset < size) { VirtQueueElement *elem; int len, total; const struct iovec *sg;
+ show +
39
40
41
42
43
total = 0; elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); if (!elem) { if (i) {
+ show +
44
45
46
47
48
49
50
51
52
53
virtio_error(vdev, "virtio-net unexpected empty queue: " "i %zd mergeable %d offset %zd, size %zd, " "guest hdr len %zd, host hdr len %zd " "guest features 0x%" PRIx64, i, n->mergeable_rx_bufs, offset, size, n->guest_hdr_len, n->host_hdr_len, vdev->guest_features); } return -1; }

[qemu_CVE-2021-3748_1630561452_virtio_net_receive_rcu.diff] virtio_net_receive_rcu_OLD.c #3
n->guest_hdr_len, n->host_hdr_len, vdev->guest_features); } - return -1; + err = -1; + goto err; } if (elem->in_num < 1) {
.\cloneFuncs\totalClone\Type-1\CVE-2021-3748_before_1mo_1622810328_virtio_net_receive_rcu.c
39
40
41
42
43
44
45
46
47
48
total = 0; elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); if (!elem) { if (i) { virtio_error(vdev, "virtio-net unexpected empty queue: " "i %zd mergeable %d offset %zd, size %zd, " "guest hdr len %zd, host hdr len %zd " "guest features 0x%" PRIx64, i, n->mergeable_rx_bufs, offset, size,
+ show +
49
50
51
52
53
54
55
n->guest_hdr_len, n->host_hdr_len, vdev->guest_features); } return -1; } if (elem->in_num < 1) {
+ show +
56
57
58
59
60
61
62
63
64
65
virtio_error(vdev, "virtio-net receive queue contains no in buffers"); virtqueue_detach_element(q->rx_vq, elem, 0); g_free(elem); return -1; } sg = elem->in_sg; if (i == 0) { assert(offset == 0);
.\cloneFuncs\totalClone\Type-2\CVE-2021-3748_before_6mo_1614272106_virtio_net_receive_rcu.c
39
40
41
42
43
44
45
46
47
48
total = 0; elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); if (!elem) { if (i) { virtio_error(vdev, "virtio-net unexpected empty queue: " "i %zd mergeable %d offset %zd, size %zd, " "guest hdr len %zd, host hdr len %zd " "guest features 0x%" PRIx64, i, n->mergeable_rx_bufs, offset, size,
+ show +
49
50
51
52
53
54
55
n->guest_hdr_len, n->host_hdr_len, vdev->guest_features); } return -1; } if (elem->in_num < 1) {
+ show +
56
57
58
59
60
61
62
63
64
65
virtio_error(vdev, "virtio-net receive queue contains no in buffers"); virtqueue_detach_element(q->rx_vq, elem, 0); g_free(elem); return -1; } sg = elem->in_sg; if (i == 0) { assert(offset == 0);

[qemu_CVE-2021-3748_1630561452_virtio_net_receive_rcu.diff] virtio_net_receive_rcu_OLD.c #4
"virtio-net receive queue contains no in buffers"); virtqueue_detach_element(q->rx_vq, elem, 0); g_free(elem); - return -1; + err = -1; + goto err; } sg = elem->in_sg;
.\cloneFuncs\totalClone\Type-1\CVE-2021-3748_before_1mo_1622810328_virtio_net_receive_rcu.c
47
48
49
50
51
52
53
54
55
56
"guest features 0x%" PRIx64, i, n->mergeable_rx_bufs, offset, size, n->guest_hdr_len, n->host_hdr_len, vdev->guest_features); } return -1; } if (elem->in_num < 1) { virtio_error(vdev,
+ show +
57
58
59
60
61
62
63
"virtio-net receive queue contains no in buffers"); virtqueue_detach_element(q->rx_vq, elem, 0); g_free(elem); return -1; } sg = elem->in_sg;
+ show +
64
65
66
67
68
69
70
71
72
73
if (i == 0) { assert(offset == 0); if (n->mergeable_rx_bufs) { mhdr_cnt = iov_copy(mhdr_sg, ARRAY_SIZE(mhdr_sg), sg, elem->in_num, offsetof(typeof(mhdr), num_buffers), sizeof(mhdr.num_buffers)); } receive_header(n, sg, elem->in_num, buf, size);
.\cloneFuncs\totalClone\Type-2\CVE-2021-3748_before_6mo_1614272106_virtio_net_receive_rcu.c
47
48
49
50
51
52
53
54
55
56
"guest features 0x%" PRIx64, i, n->mergeable_rx_bufs, offset, size, n->guest_hdr_len, n->host_hdr_len, vdev->guest_features); } return -1; } if (elem->in_num < 1) { virtio_error(vdev,
+ show +
57
58
59
60
61
62
63
"virtio-net receive queue contains no in buffers"); virtqueue_detach_element(q->rx_vq, elem, 0); g_free(elem); return -1; } sg = elem->in_sg;
+ show +
64
65
66
67
68
69
70
71
72
73
if (i == 0) { assert(offset == 0); if (n->mergeable_rx_bufs) { mhdr_cnt = iov_copy(mhdr_sg, ARRAY_SIZE(mhdr_sg), sg, elem->in_num, offsetof(typeof(mhdr), num_buffers), sizeof(mhdr.num_buffers)); } receive_header(n, sg, elem->in_num, buf, size);

[qemu_CVE-2021-3748_1630561452_virtio_net_receive_rcu.diff] virtio_net_receive_rcu_OLD.c #5
if (!n->mergeable_rx_bufs && offset < size) { virtqueue_unpop(q->rx_vq, elem, total); g_free(elem); - return size; + err = size; + goto err; } - /* signal other side */ - virtqueue_fill(q->rx_vq, elem, total, i++); - g_free(elem); + elems[i] = elem; + lens[i] = total; + i++; } if (mhdr_cnt) {
.\cloneFuncs\totalClone\Type-1\CVE-2021-3748_before_1mo_1622810328_virtio_net_receive_rcu.c
84
85
86
87
88
89
90
91
92
93
} /* copy in packet. ugh */ len = iov_from_buf(sg, elem->in_num, guest_offset, buf + offset, size - offset); total += len; offset += len; /* If buffers can't be merged, at this point we * must have consumed the complete packet. * Otherwise, drop it. */
+ show +
94
95
96
97
98
99
100
101
102
103
104
105
if (!n->mergeable_rx_bufs && offset < size) { virtqueue_unpop(q->rx_vq, elem, total); g_free(elem); return size; } /* signal other side */ virtqueue_fill(q->rx_vq, elem, total, i++); g_free(elem); } if (mhdr_cnt) {
+ show +
106
107
108
109
110
111
112
113
114
115
virtio_stw_p(vdev, &mhdr.num_buffers, i); iov_from_buf(mhdr_sg, mhdr_cnt, 0, &mhdr.num_buffers, sizeof mhdr.num_buffers); } virtqueue_flush(q->rx_vq, i); virtio_notify(vdev, q->rx_vq); return size;
.\cloneFuncs\totalClone\Type-2\CVE-2021-3748_before_6mo_1614272106_virtio_net_receive_rcu.c
84
85
86
87
88
89
90
91
92
93
} /* copy in packet. ugh */ len = iov_from_buf(sg, elem->in_num, guest_offset, buf + offset, size - offset); total += len; offset += len; /* If buffers can't be merged, at this point we * must have consumed the complete packet. * Otherwise, drop it. */
+ show +
94
95
96
97
98
99
100
101
102
103
104
105
if (!n->mergeable_rx_bufs && offset < size) { virtqueue_unpop(q->rx_vq, elem, total); g_free(elem); return size; } /* signal other side */ virtqueue_fill(q->rx_vq, elem, total, i++); g_free(elem); } if (mhdr_cnt) {
+ show +
106
107
108
109
110
111
112
113
114
115
virtio_stw_p(vdev, &mhdr.num_buffers, i); iov_from_buf(mhdr_sg, mhdr_cnt, 0, &mhdr.num_buffers, sizeof mhdr.num_buffers); } virtqueue_flush(q->rx_vq, i); virtio_notify(vdev, q->rx_vq); return size;

[qemu_CVE-2021-3930_1636043498_mode_sense_page.diff] mode_sense_page_OLD.c #1
uint8_t *p = *p_outbuf + 2; int length; + assert(page < ARRAY_SIZE(mode_sense_valid)); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; }
.\cloneFuncs\totalClone\Type-1\CVE-2021-3930_before_1mo_1614001256_mode_sense_page.c
3
4
5
6
7
8
9
10
11
12
{ static const int mode_sense_valid[0x3f] = { [MODE_PAGE_HD_GEOMETRY] = (1 << TYPE_DISK), [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK), [MODE_PAGE_CACHING] = (1 << TYPE_DISK) | (1 << TYPE_ROM), [MODE_PAGE_R_W_ERROR] = (1 << TYPE_DISK) | (1 << TYPE_ROM), [MODE_PAGE_AUDIO_CTL] = (1 << TYPE_ROM), [MODE_PAGE_CAPABILITIES] = (1 << TYPE_ROM), };
+ show +
13
14
15
16
17
18
uint8_t *p = *p_outbuf + 2; int length; if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; }
+ show +
19
20
21
22
23
24
25
26
27
28
/* * If Changeable Values are requested, a mask denoting those mode parameters * that are changeable shall be returned. As we currently don't support * parameter changes via MODE_SELECT all bits are returned set to zero. * The buffer was already menset to zero by the caller of this function. * * The offsets here are off by two compared to the descriptions in the * SCSI specs, because those include a 2-byte header. This is unfortunate, * but it is done so that offsets are consistent within our implementation

[qemu_CVE-2021-3930_1636043498_scsi_disk_check_mode_select.diff] scsi_disk_check_mode_select_OLD.c #1
return -1; } + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; + } + p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0);
.\cloneFuncs\totalClone\Type-1\CVE-2021-3930_before_1mo_1614001256_scsi_disk_check_mode_select.c
4
5
6
7
8
9
10
11
12
13
uint8_t mode_current[SCSI_MAX_MODE_LEN]; uint8_t mode_changeable[SCSI_MAX_MODE_LEN]; uint8_t *p; int len, expected_len, changeable_len, i; /* The input buffer does not include the page header, so it is * off by 2 bytes. */ expected_len = inlen + 2; if (expected_len > SCSI_MAX_MODE_LEN) {
+ show +
14
15
16
17
18
19
return -1; } p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0);
+ show +
20
21
22
23
24
25
26
27
28
29
if (len < 0 || len != expected_len) { return -1; } p = mode_changeable; memset(mode_changeable, 0, inlen + 2); changeable_len = mode_sense_page(s, page, &p, 1); assert(changeable_len == len); /* Check that unchangeable bits are the same as what MODE SENSE

[qemu_CVE-2021-3947_1637154776_nvme_changed_nslist.diff] nvme_changed_nslist_OLD.c #1
int i = 0; uint32_t nsid; + if (off >= sizeof(nslist)) { + trace_pci_nvme_err_invalid_log_page_offset(off, sizeof(nslist)); + return NVME_INVALID_FIELD | NVME_DNR; + } + memset(nslist, 0x0, sizeof(nslist)); trans_len = MIN(sizeof(nslist) - off, buf_len);
.\cloneFuncs\totalClone\Type-1\CVE-2021-3947_before_1mo_1631720610_nvme_changed_nslist.c
1
2
3
4
5
static uint16_t nvme_changed_nslist(NvmeCtrl *n, uint8_t rae, uint32_t buf_len, uint64_t off, NvmeRequest *req) { uint32_t nslist[1024]; uint32_t trans_len;
+ show +
6
7
8
9
10
int i = 0; uint32_t nsid; memset(nslist, 0x0, sizeof(nslist)); trans_len = MIN(sizeof(nslist) - off, buf_len);
+ show +
11
12
13
14
15
16
17
18
19
20
while ((nsid = find_first_bit(n->changed_nsids, NVME_CHANGED_NSID_SIZE)) != NVME_CHANGED_NSID_SIZE) { /* * If more than 1024 namespaces, the first entry in the log page should * be set to FFFFFFFFh and the others to 0 as spec. */ if (i == ARRAY_SIZE(nslist)) { memset(nslist, 0x0, sizeof(nslist)); nslist[0] = 0xffffffff;